CoN 25th Anniversary: 1997-2022
The ROM hacking thread

 
How interested are you in learning about ROM hacking?
Not at all. I don't really know why I'm in this thread, frankly. [ 4 ]  [16.67%]
I'm interested, but would prefer immediate results. [ 0 ]  [0.00%]
I'm interested, but uncertain. [ 5 ]  [20.83%]
I'm interested, and willing to put effort into things before seeing results. [ 9 ]  [37.50%]
I just want to know the basics. [ 6 ]  [25.00%]
Total Votes: 24
Guests cannot vote 
Posted: 4th August 2005 14:44

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
ROM hacking is somewhat of a curio for most members. Only a few of us can hack ROMs. The rest are forced to resort to (now very outdated) editors and don't know the first thing about ROM hacking as a whole. As a result, some very creative ideas that could be put towards assembling an awesome ROM hack simply fail. Worse yet, ROM hacking is often heavily misunderstood and requests are either unreasonable, impossible to acheive, or simply (to someone who knows what the whole deal is about) stupid.

As a rather seasoned veteran of ROM hacking, I feel it'd be a learning experience for everyone to give ROM hacking "lessons" and to dispell popular myths about the domaine as a whole. My intention isn't to tell you to grab a hex editor and modify this and that to make Celes topless, but rather to explain how to hack a ROM and make something out of it. Some of you certainly have it in you to make something impressive, and we can only benefit from having more heads working towards pushing the field forward.

The purpose of the poll is to know what would interest potential posters in this thread. I think we all know quite well how this here ROM hacker/programmer loves the field he works in, and I tend to be quite passionate about it. Jumping into assembly hacks right away would only alienate the common newcomer and I'd soon be the only one posting in this thread (which would draw mean glares from the moderators. wink.gif ) If most people are seriously interestd in learning, then I'll gladly launch into detailled explanations how the SNES's hardware works, how it handles sprites and how to modify them, how to find stuff in a ROM, and even some basic assembly. But if interest centers around quick, simple modifications (such as how to change an enemy's stats or something simple like that) then there's hardly a point in explaining how the SNES hardware works now, is there?

This thread is NOT going to deal with emulation or ROMs. I'm not going to give anyone the ROM, be it here or in PM. Just thought I'd get that out of the way. smile.gif

So. Thoughts, opinions, interest?

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #92768
Top
Posted: 4th August 2005 15:06

*
Black Mage
Posts: 171

Joined: 11/2/2005

Awards:
Member of more than ten years. Member of more than five years. 
I'm definitely interested! Sign me up right away! thumbup.gif

--------------------
~ Aurora, exhale bloody air! Dark Holy! ~
Post #92772
Top
Posted: 4th August 2005 15:13

*
Black Waltz
Posts: 903

Joined: 29/5/2005

Awards:
Member of more than ten years. User has rated 25 fanarts in the CoN galleries. Major involvement in the Final Fantasy V section of CoN. Second place in CoNCAA, 2011. 
Member of more than five years. Has more than fifteen news submissions to CoN. First place in CoNCAA, 2009. Vital involvement in the Final Fantasy IV section of CoN. 
See More (Total 9)
I'd go for it. The only problem is i don't have the right programs sad.gif .
Post #92773
Top
Posted: 4th August 2005 15:22

*
Engineer
Posts: 447

Joined: 12/6/2005

Awards:
Member of more than ten years. Member of more than five years. 
I'm definately interested in pretty much anything involving programming. Right now I'm TRYING to learn C++ (the math is over my head, but I'm making progress), so I'm DEFINATELY interested in ROM Hacking.

--------------------
The island bathes in the sun's bright rays
Distant hills wear a shroud of grey
A lonely breeze whispers in the trees
Sole witness to history

ICO-You were there-
Post #92774
Top
Posted: 4th August 2005 15:30

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
Wow. I wasn't expecting such a positive and determined response. biggrin.gif

Concerning programs, the only thing you'd need is a hex editor. And, well, an emulator to test your modifications, but that goes without saying. You can easily pick up a basic yet functional hex editor by googling for it (anything that allows you to open a file and change hex inside of it will work; I use MSVC's built-in editor, myself, but MSVC is a costly piece of software so I can't recommand that.)

If interest remains as strong as it currently is, I might write up a walkthrough on how to make certain changes to FF6 after going through the basics. What are you guys more interested in? Graphic-related stuff, text-related stuff, modifying data, modifying the game's code...? I could cover everything, but it might be best if I spent more time covering things that are going to be used more actively.

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #92776
Top
Posted: 4th August 2005 15:33

*
Disciplinary Committee Member
Posts: 564

Joined: 2/7/2004

Awards:
Member of more than ten years. Member of more than five years. Winner of the 2005 100k post contest. 
I'm just wondering... why do you say SNES? It's not like we won't be able to hack PSX/X-Box/GBA games if we learn how to hack ROMs.

I am totally in, I have a big project but I don't know where to start. Of course I will put all my effort unto it and try to do like you RL & Caesar.

Anyways, I'm heading to college next year, and learning if it's just a little of ROM hacking could be really useful to me.

If hope you will teach us what can possibly be done because we all know you cannot create a totally different game using an existing game, it would be a waste since it would take shorter to create a new one...

I learned binary and Hexedecimal on my own using a scientific calculator in my math class tongue.gif . So I guess I'm reason for the next step (second one sad.gif )

Edit
I would like to modify data & to be able to modifying the game's code. Changes sprites isn't so hard (yet takes time) and I don't think it would be such a challenge. However modifying data is surely the first thing I would want to achieve.


This post has been edited by Zodiac on 4th August 2005 15:39

--------------------
Sayonara
Post #92779
Top
Posted: 4th August 2005 15:52

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
Unfortunately, SNES ROM hacking and even NES ROM hacking are very different. The theory behind both systems is the same, but everything else (graphic formats, registers and hardware, etc) varies almost entirely. It would still give you a very good introduction to other systems and, hopefully, enable you to hack those systems if you can get your hands on a document describing their hardware. wink.gif

While ROM hacking won't teach you anything too definit about programming, it will help you understand fundamental concepts (binary file formats and pointers, for one) and, if you take assembly as a course, give you quite a head start. The general theory behind assembly is the same for all chipsets, but the instructions and register layout can change quite a bit. But knowing some ROM hacking (even if it's just changing stuff and no assembly) definitely helps understanding programming concepts, and vice-versa. wink.gif

My notes are at home (I'm at work currently) so I'll wait until later tonight to get started with the basics. But I think I'll start by a brief into to hex and binary and what they have to do with ROMs, and post a quick guide to editing something. Say, character stats. Then I'll move onto how to know that what you've modified represents stats (which would slowly lead into some basic assembly) After that, most of you should be able to take a ROM, fiddle around a bit, and find where basic data is loaded then modify it (such as how many points enemies are worth in Super Mario World, or what the shops in Earthbound sell.)

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #92781
Top
Posted: 5th August 2005 00:00

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
ROM Hacker Lesson 01
What's all that fancy hex stuff about?


Let's get straight to the point. Hex is just a different way of representing numbers. We use the decimal system (base 10), computers use binary (base 2). But since it's easier to keep track of numbers than a long complex string of 0s and 1s, we usually represent stuff using the hexadecimal system (base 16) The reasons behind this are not important right now and we'd get side-tracked talking about them.

Protip: Hex is just a different way of representing numbers!

I won't give an intro to hex, but rather explain how to convert to and from hex the quick and dirty way: Windows's calculator. Just fire up the calculator and go into scientific mode (View menu, Scientific) and select the hexadecial display (View menu, Hex; OR you can just press F5). Just to test things real quick, type "AF" without the quotes. Now switch to decimal (View menu, Decimal; OR you can just press F6). Your AF becomes 175. This is what AF means: one hundred and seventy five. You can convert from decimal to hexadecimal by doing it backwards (go in decimal mode, type in a number, then switch to hexadecimal mode.)

Protip: Use the Windows calculator to convert hex and dec with ease.

Here are the different parts of a hexadecimal value.

A: Nybble. From 0 (0) to 15 (F).
AF: Byte. From 0 (0) to 255 (FF). Typically used by the SNES.
AF3A: Word. From 0 (0) to 65535 (FFFF).

Hex is usually written with 0x in front of it to tell it apart from decimal (ie, 0x10 vs 10), or sometimes $# (ie, $#10 vs 10). I'll refer to hex by the 0x method from now on, so if you don't see 0x in front of a number, it's in decimal.

Protip: After the first mechanic whale in Dive Man's stage, you can fall into a hole lined with spikes to find the hook adaptor!

Now that hexadecimal no longer holds any secrets for you, it's time to learn just what it means. Here's a little introductory example...

Protip: Dude. Don't put eggs in a microwave when they're still in their shell. Trust me on this.

0 compressed
1 fun
2 is
3 text
4 This
5 .
6 !

Sentence 1: 4 2 0 3 5
Sentence 2: 4 2 1 6

Intuition should tell you that the numbers in these "sentences" translate to a word or character. For instance, sentence 1 is "This", "is", "compressed", "text", "." Instead of writing the entire sentence, we only write 5 numbers: much smaller, isn't it? This is almost how most SNES games store text: they represent commonly-used groups of characters by a hexadecimal value.

This example is only one of the ways hex can be used. Here's another simpler one those of you who do HTML may be used to.

<div style="background:#FF0080">

#FF0080 are actually 3 hex values: 0xFF 0x00 0x80. Each represents a color component: 0xFF is 255 Red, 0x00 is 0 Green, and 0x80 is 128 Blue. Here, 3 hex bytes are used to represent a color.

Protip: Hex is often used to simply represent something, be it an enemy ID, the score something gives you, or how red a pixel is.

Games also use hex to represent numbers (believe it or not tongue.gif ) For instance, you might have the following structure...

0x0A 0x00 0x18 0x01
0x10 0x00 0x20 0x04
0x20 0x01 0x80 0x02

This is weapon data for an imaginary game. If we know that the game reads 1 byte for the attack power, two bytes (a word) for the price, then 1 more byte for the ID of the character who uses it, here's what this actually represents.

Power: 10. Price: 24. Character ID: 1.
Power: 16. Price: 32. Character ID: 4.
Power: 32. Price: 384. Character ID: 2.

Protip: Hex is basically a means of representing data, be it text, colors, or numbers. It can also represent sound, and even programming instructions by associating a number with a command!

What you should know by now
1- How to convert to and from hex.
2- How a game could use hex to represent data.
3- What not to put in a microwave oven.

Next lesson: how binary can be used to have 1 byte represent up to 8 things, and how a ROM is laid out internally.

This lesson may be a little complex for someone who's never done hex, so feel free to ask away. Understanding just how a game represents data (in a nutshell) is vital to understanding how to change it. To know if you've grasped the concept properly, here's a little exercise.

You know Game X has the following structure for its enemies.

Byte 1: Sprite ID
Bytes 2-3: Enemy HP
Byte 4: Enemy MP
Byte 5: Enemy Power
Byte 6: Enemy Defense
Byte 7-8: Exp earned
Byte 9-10: Gold earned

Looking at the right place in the ROM, you locate the enemy data for all 5 of the game's enemies. (I've made it a little easier by aligning data, but in a real rom they'd all be on the same line. These are in hex.)

01 00 32 00 05 02 00 64 00 0A
02 00 50 05 0C 02 00 FA 00 19
03 00 AF 0F 12 05 01 90 00 46
04 01 09 08 19 0A 02 EE 00 B4
05 01 C2 19 28 0F 05 DC 01 13

You find the game to be unbalanced: chimeras don't do enough damage and die too rapidly. Therefore, you figure you'll give them 300 HP and an attack power of 32. You don't know its ID, but you DO know that you gain 750 exp and 180 gold for beating one. Which byte(s) will you change, and to which value?

Possible spoilers: highlight to view
01 00 32 00 05 02 00 64 00 0A
02 00 50 05 0C 02 00 FA 00 19
03 00 AF 0F 12 05 01 90 00 46
04 01 2C 08 20 0A 02 EE 00 B4
05 01 C2 19 28 0F 05 DC 01 13

By looking at each monster's EXP bytes, we can see that the 4th one in the list (0x02 0xEE) comes out to 750 when converted to decimal. Aha! That must be the chimera. To make sure, we check its gold too: 0x00 0xB4 comes out as 180 in decimal. Congrats! If you've made it this far, you know how to look through hex to find a certain enemy/item/whatnot! Now we change its HP bytes to 300 (byte 2 and 3 to 0x01 0x2C) and its attack power to 32 (byte 5 to 0x32).


We'll get to how to finding out where these chunks of data are located after the next lesson.

Edit: Typo. One of many, most likely. smile.gif

This post has been edited by Silverlance on 5th August 2005 00:00

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #92850
Top
Posted: 5th August 2005 00:22

*
Engineer
Posts: 447

Joined: 12/6/2005

Awards:
Member of more than ten years. Member of more than five years. 
Nice! Next lesson, please!

Nah, just kidding, I know this takes time to do... thanks a bunch!


... So THAT'S where the hook adapter is!

Edit
By the way, regarding Endless Saga, that's a very nice-looking cave ya got thar!


This post has been edited by Spiffyness on 5th August 2005 00:37

--------------------
The island bathes in the sun's bright rays
Distant hills wear a shroud of grey
A lonely breeze whispers in the trees
Sole witness to history

ICO-You were there-
Post #92857
Top
Posted: 5th August 2005 00:33

*
Disciplinary Committee Member
Posts: 564

Joined: 2/7/2004

Awards:
Member of more than ten years. Member of more than five years. Winner of the 2005 100k post contest. 
Hey thanks! I learned a lot of things laugh.gif

The rest was logical...

Quote
A: Nybble. From 0 (0) to 15 (F).
AF: Byte. From 0 (0) to 255 (FF). Typically used by the SNES.
AF3A: Word. From 0 (0) to 65535 (FFFF).


Quote
A Hex value can represent a word or a group of letters


Quote
NEVER put an egg in the microwave. rules were made to be broken, didn't your mom ever told you that? laugh.gif (Yet, DO NOT BREAK CoN's RULES)


Nothing else, but i'm sure this was(will be) more helpful to others. smile.gif

This post has been edited by Zodiac on 5th August 2005 01:32

--------------------
Sayonara
Post #92862
Top
Posted: 5th August 2005 01:21

*
Climbing Marle!
Posts: 1,640

Joined: 21/6/2004

Awards:
Member of more than ten years. Participated at the forums for the CoN's 15th birthday! Major involvement in the Final Fantasy V section of CoN. Member of more than five years. 
I can see this thread being very useful to some members. Great idea, RL!

Just let me know when you want me to lecture on how freakin long it takes to actually complete a project. wacko.gif blink.gif

--------------------
Is PJ
Post #92873
Top
Posted: 5th August 2005 01:24

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
Quote (Caesar @ 4th August 2005 20:21)
Just let me know when you want me to lecture on how freakin long it takes to actually complete a project. wacko.gif blink.gif

I'll back up your claim with a few projects of my own. tongue.gif

Patience is a virtue. But you do get to see constant progress when ROM hacking, as opposed to programming which may take a little while beforehand.

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #92875
Top
Posted: 5th August 2005 17:37

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
(Note: I'm typing this via a Lynx browser, so the formatting may be off. Forgive me if it is. tongue.gif)

ROM Hacking Lesson 2: A few specifications

Last lesson dealt with something vital in ROM hacking: hex. What you learned (assuming you did learn something. smile.gif ) applies to ANYTHING, not just SNES ROMs. In fact, it applies even to PC programs. This lesson will deal with the SNES-specific details, and next one will apply the concepts in this lesson and the previous one towards making actual modifications to FF6. Just bear with me a little longer, we're almost through getting the nitty-gritty stuff out of the way. wink.gif

Protip: For some reason, the boss' dog is in my office. I'm playing catch with him using a paper ball.

First, a few clarifications on hex. Often, when hex represents something (like words, see the previous lesson's "compressed sentences") it'll start off at 0x00 instead of 0x01. The reason for this is simple: "one" doesn't exist. Only 256 (0-255, or 0x00 - 0xFF) values. By starting at 0x01, we lose 0x00, which means one possible value less. This is not always the case, sometimes it might start at some arbitrary value like 0x80 (as do FF6's animation command IDs). This has something to do with flags (which we'll get to in a moment.)

Protip: Typically, you start counting from 0x00 instead of from 0x01 in hex, as opposed to the way we count ("one, two, three...").

Flags are very important when ROM hacking, as they're a means of compressing up to 8 values into a single byte: hardly something you'd just ignore when you only have 65k of RAM! Flags work in binary. Open up calc and type "80" in hex mode, then switch to the binary display (from the view menu, or with F8). You should see "10000000" This is the binary form of 0x80. Try it with "40", "20", "10", "08", "04", "02", and "01". These values are important: each represents one bit. Now let's suppose you take an 8-bit binary string (a byte) and decompose it as such:

Bit 0x01: Poison
Bit 0x02: Blind
Bit 0x04: Sleep
Bit 0x08: Petrify
Bit 0x10: Mute
Bit 0x20: Confused
Bit 0x40: Slow
Bit 0x80: Dead

Now, when a bit is set (1), you have the corresponding status. When it's unset (0), you don't. So a perfectly healthy character would have 0x00 (00000000). A mute character would have 0x10 (00010000). What about a mute, blind, and slowed character? In that case, you just add the flags together: 0x10 + 0x02 + 0x40, 0x52 (01010010). So what would 0xC4 be? (11000100) Dead + Slow + Sleep. (Note that some people refer to these bits as bits 0 - 7 instead of 0x01 - 0x80. Notice, too, that it 0 would actually be the 8th bit from the left. You count them from the right, just like in decimal. 1043: 3 is the 1st digit, 4 the 2nd, 0 the 3rd, and 1 the 4th.)

Protip: For some reason, I closed the italics prematurely in this one. Huh.

If you understand the above, you can pretty much skip the rest. However, the following bit is about addresses, and you probably want to try to understand it if you want to know where to look for stuff in your ROM after opening it with a hex editor.

The SNES divides its data into 64k blocks of data called "banks." These banks are numbered starting at 0xC0. It can be pretty long to jump between banks, so typically the SNES will try to fit all related data into the same bank. FF6 uses bank C0 to store the map-related code, C1 to store most battle-related code, C2 to store the battle mechanics, and C3 for most menu-related things (including shops and the colliseum.) Typically, if data doesn't fit perfectly in the bank, the bytes left over will be padded with blank values (FF6 uses 0xFF, so a long series of 0xFFs is probably blank space.)

Other banks used by the SNES include SRAM for saved games (0x30 IIRC), WRAM for work RAM (0x7E and 0x7F), and a few potential others (can't remember off-hand. smile.gif )

Protip: When someone talks about "bank xyz", now you know what they're talking about. You HAVE been paying attention, right?

Often people will talk about a location in the ROM like so: "C1/E4A0" This means bank C1, offset (new word!) E4A0. Or, if you prefer, whatever they're talking about is 0xE4A0 bytes into bank 0xC1. There are other means of representing this, such as C1:EA40 (my preferred method), $C1EA40, etc.. You'll see the latter often in assembly.

Unfortunately, files on your PC don't deal with banks and all start at offset 0x00000000. You need to convert a SNES address into a file offset first. There's a trick though: SNES offsets start at 0xBFFE00, so subtract that from the SNES ROM address and you'll have a file offset. For instance, you want to go see what's at C1:E4A0 in your ROM. Take 0xC1E4A0 and subtract 0xBFFE00 from it: 0x1E6A0. Use your hex editor to go there in the ROM, and voila! You can convert to a ROM address by adding 0xBFFE00 to the file offset. Just remember that value and you'll be fine: 0xBFFE00. Think "0xBeef00" but with the e and f switched around.

Protip: Beef is good.

Now you know how hex works, how the SNES uses hex to represent data from text to equipment, a few handy tricks with flags, and how the SNES handles addresses. You're ready to edit some basic stuff!

Edit: One thing I forgot to mention on flags: sometimes flags and values are combined. FF6 stores some properties like this: the lower 3 bits of the byte are the window ID and the 5 remaining bits are various flags (I'll leave out their purpose for now). So 11011010 would be (on)(on)(off)(on)(on)(window ID, which is 2 in this case: 010)

This post has been edited by Silverlance on 6th August 2005 18:11

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #92933
Top
Posted: 17th August 2005 02:59

*
Engineer
Posts: 447

Joined: 12/6/2005

Awards:
Member of more than ten years. Member of more than five years. 
I was just reading the thread "VERY Ambitious hack idea" thread, and you mentioned that it seemed nobody was interested in this thread. Well I for one, am actually VERY interested, and I assume others are as well. I didn't post anything because I understood everything you said so I had no questions, and a "that was good, post the next one!" post would be pretty spammy. So I'm just sayin' that nobody's lost interest in ROM Hacking (err... at least I haven't, but I can't spead for the others...).

..."That was good, post the next one!"...

--------------------
The island bathes in the sun's bright rays
Distant hills wear a shroud of grey
A lonely breeze whispers in the trees
Sole witness to history

ICO-You were there-
Post #94076
Top
Posted: 17th August 2005 03:37
*
Holy Swordsman
Posts: 1,972

Joined: 31/7/2003

Awards:
Member of more than ten years. Member of more than five years. Has more than fifty news submissions to CoN. Vital involvement in the Final Fantasy IV section of CoN. 
I'm not really interested in ROM hacking, but I've enjoyed reading this thread. happy.gif The completely random 'protips' distract, though. Keep posting. If nothing else, it will be a reference later.

--------------------
Veni, vidi, dormivi.
Post #94080
Top
Posted: 17th August 2005 04:14

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
Well, really, I didn't want to post 3 posts back to back, and the lack of other posts made me wonder wether people bothered with the rather lenghty "lessons" tongue.gif I'm a little out of touch and had to read the two other posts again to catch up, but I'm about ready to post something that should interest most people.

ROM Hacking Lesson 3: Some Actual Modifications!

If you feel the need to, please back up a little and read up on ROM addresses and some basic stuff about flags. We'll be dealing with those in this lesson.

Protip: There will be no random distracting protips in this lesson. Just serious stuff! Please use care, and remember to save your game frequently at an inn!

First, before modifying anything, you'll need a hex editor. I have Microsoft Visual C++ on my PC and use its built-in editor, but the price tag is a little too hefty for someone who'd just want to use it to do some casual ROM hacking. Hunt around on google and see what you're more comfortable with; here's one. I just picked it at random from Google. tongue.gif

I originally wanted to modify character startup data, but just about any editor allows you to do that. While it may've been an interesting lesson, why not make things interesting and edit stuff the average FF3/6 editor doesn't let you edit? Sabin's blitz commands, here comes the new blood of ROM hacking!

Sabin's blitz commands can be found at offset 0x047C40 (or, as a ROM address, C4:7A40.) Each blitz is 12 bytes long, and there are 8 blitzes. If I were to copy-paste the hex from that address (and skip a line every 12 bytes to make it more convinient; remember: 1 blitz is 12 bytes long) we get the following.

Code
047C40: 0E 0A 0E 01 00 00 00 00 00 00 00 08 Pummel
047C4C: 08 07 0E 01 00 00 00 00 00 00 00 08 Aurabolt
047C58: 03 04 08 0C 01 00 00 00 00 00 00 0A Suplex
047C64: 0E 07 08 09 0A 01 00 00 00 00 00 0C Fire Dance
047C70: 06 05 06 05 03 04 01 00 00 00 00 0E Mantra
047C7C: 0C 0B 0A 09 08 07 0E 01 00 00 00 10 Air Blade
047C88: 06 05 03 04 0A 0E 01 00 00 00 00 0E Spiraler
047C94: 0E 0D 0C 0B 0A 09 08 07 0E 01 00 14 Bum Rush


I added the name of the blitzes myself to make it more convinient. So the first block of 12 bytes controls Pummel. The second, Aurabolt. Etc.

Protip: AH! A PROTIP! Ahem. Don't worry about how I found this data or how I know what it does. We'll get to that in a future lesson. For now, just know that it's there and that it does what I say it does. wink.gif

This data tells the game which commands to input when using Blitz. The first 11 bytes control this information. Each byte is a button. Take Pummel for instance: 0x0E 0x0A 0x0E 0x01. Pummel is supposed to be <- -> <- A. Hrm.

Code
0x0E 0x0A 0x0E 0x01
<-  Ã‚ ->   <-    A


Notice anything? Seems 0x0E means "Left", 0x0A means "Right", and 0x01 means "A". If you want, you can go through the list and come up with what each value stands for; I'll go ahead and post my findings anyhow for the sake of moving this lesson ahead, however.

Code
01 A   02 B   03 X   04 Y
05 L   06 R
07 Down/Left 08 Down   09 Down/Right  0A Right
0B Up/Right  0C Up   0D Up/Left  0E Left


So that's all good, but what's the last byte stand for? It may not be immediately obvious at first: it's the length of the command multiplied by two.

By now, you should have enough information to edit a blitz command. Let's do something basic with this and make Bum Rush into something simpler: <- <- A.

Possible spoilers: highlight to view
Take...
047C94: 0E 0D 0C 0B 0A 09 08 07 0E 01 00 14
And change it to...
047C94: 0E 0E 01 00 00 00 00 00 00 00 00 06

Why? Because 0x0E 0x0E 0x01 means "<- <- A." The 0x00s clear out the extra buttons we won't need anymore. And changing the final 0x14 to 0x06 shortens the command from 10 buttons to 3. smile.gif


What now? Well, next lesson will deal with some slightly more complex data. Until then, experiment with Blitzes until you can alter them as you see fit. If you find a document on editing something in the ROM, you should now know enough to do it on your own, or at least make basic modifications. All's you need is the address and a description of the format.

Here's a little gift to anyone interested...

0x2D7EA0: Character startup data (ROM address: ED:7CA0)
Size: 23 bytes, 64 characters.

Byte 01 Starting HP at Level 1
Byte 02 Starting MP at Level 1
Byte 03 Battle Command 1 (Usually [0x00] Fight.)
Byte 04 Battle Command 2
Byte 05 Battle Command 3 (Usually [0x02] Magic.)
Byte 06 Battle Command 4 (Usually [0x03] Item.)
Byte 07 Vigor.
Byte 08 Speed.
Byte 09 Stamina.
Byte 10 Magic Power.
Byte 11 Battle Power.
Byte 12 Defense.
Byte 13 Magic Defense.
Byte 14 Evade %.
Byte 15 Magic Block %.
Byte 16 Initial Weapon.
Byte 17 Initial Shield.
Byte 18 Initial Helm.
Byte 19 Initial Armor.
Byte 20 Initial Relic, Slot 1.
Byte 21 Initial Relic, Slot 2.
Byte 22 Level Byte.

In order, characters are Terra, Locke, Cyan, Shadow, Edgar, Sabin, Celes, Strago, Relm, Setzer, Mog, Gau, Gogo, Umaro, Banon, Leo, Ghost 1, Ghost 2. The rest are various other characters, including Vicks and Wedge, the Moogles, various incarnations of the sprite-form Kefkas you face in event battles, and some dummied out sets of stats.

See if you can do anything with this. wink.gif

This post has been edited by Silverlance on 17th August 2005 04:16

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #94083
Top
Posted: 17th August 2005 04:20

*
Climbing Marle!
Posts: 1,640

Joined: 21/6/2004

Awards:
Member of more than ten years. Participated at the forums for the CoN's 15th birthday! Major involvement in the Final Fantasy V section of CoN. Member of more than five years. 
XVI32 is a VERY good hex editor. Nice pick!

I have used it for many years. It is not too complex, yet it isn't so simple that it's like using an editor (which is bad). I find that it is the best Hex Editor out there, even better than hex Workshop, especially since it's free and it works.

I have no complaints about this lesson. Very information and easy to follow. I, myself, am personally looking forward to the animation script hacking post. THAT one, my friend, will be a task to follow, if I do say so myself. happy.gif

--------------------
Is PJ
Post #94085
Top
Posted: 17th August 2005 11:07

*
Dragoon
Posts: 1,796

Joined: 15/11/2003

Awards:
Member of more than ten years. Member of more than five years. 
I really enjoy reading these posts
and all are making perfect sense

I really can't wait to see what's next



--------------------
"Have you ever seen a baby do that before?"
Post #94097
Top
Posted: 17th August 2005 11:32

Group Icon
Lunarian
Posts: 1,394

Joined: 13/3/2004

Awards:
Member of more than ten years. Vital involvement in the Final Fantasy VI section of CoN. Vital involvement in the Final Fantasy V section of CoN. Member of more than five years. 
I never understood the need for the whole BFFE00 substracting thing. A much easier way (to me) is simply take the offest (C2/457A), add 200h and swap the C for a 0.

C2/457A = 02477A.

Nice lessons, btw; you're not teaching me anything I didn't know, but you make the introduction into hex very easy. Then again, my personal introduction came from several techinical documents at Zophar.net, which is rougly the equivalent of trying to learn math by re-reading Einstain's theory on quantem mechanics every day wink.gif

--------------------
Post #94100
Top
Posted: 17th August 2005 12:24

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
Quote (Djibriel @ 17th August 2005 06:32)
I never understood the need for the whole BFFE00 substracting thing. A much easier way (to me) is simply take the offest (C2/457A), add 200h and swap the C for a 0.

That's actually pretty similare. tongue.gif

BFFE00 is just C00000 - 0x0200. You can drop the bank and add 0x0200, and it comes out the same as working with 0xBFFE00.

I just find it easier to remember that constant because it reminds me of beef (0xBEEF- wait, 0xBFFE00) wink.gif Kinda stuck in my mind ever since.

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #94102
Top
Posted: 17th August 2005 13:41

Group Icon
Lunarian
Posts: 1,394

Joined: 13/3/2004

Awards:
Member of more than ten years. Vital involvement in the Final Fantasy VI section of CoN. Vital involvement in the Final Fantasy V section of CoN. Member of more than five years. 
Oh, I know; it's just that I'd rather do it without Windows Calculator. Not that it does't tend to be open anyway when I working with it, but...

--------------------
Post #94103
Top
Posted: 17th August 2005 19:57

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
For anyone interested, I might write a quick little app to display text as it would appear in-game given an address, or to follow pointers/pointer lists. My old never-released editor, Project Rebirth, already has the necessary code to decode and display the font graphics given a fresh ROM, so it'd be very little work. And massively useful when dealing with strings (my current research deals with displaying and altering text, particularly in C3. The latter which contains a number of string-loading routines. smile.gif )

I might try to make the next post about finding and altering text, and maybe briefly touch up on pointers (which would lead up to understanding some basic assembly somewhere down the road; probably the easiest way to introduce anyone to SNES assembly, IMO) This program will surely find quite a number of uses. tongue.gif

I DO have a large-scale dumping program which can dump text, hex, and even assembly given a starting and ending address, but it's not very user-friendly.

(And before anyone asks, I don't write editors. Just tools to aid in ROM hacking.)

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #94115
Top
Posted: 21st August 2005 20:34

*
Onion Knight
Posts: 48

Joined: 24/7/2005

Awards:
Member of more than five years. 
Would this help any 1 Hacking
Post #94376
Top
Posted: 21st August 2005 20:38

*
Climbing Marle!
Posts: 1,640

Joined: 21/6/2004

Awards:
Member of more than ten years. Participated at the forums for the CoN's 15th birthday! Major involvement in the Final Fantasy V section of CoN. Member of more than five years. 
That's simply hacking the save state of FFVI. What RL is taking about is hacking the actual ROM itself, making permanent changes, unlike the savestate which is only for that specific file. By hacking the ROM, any file you play on that ROM will be changed.

--------------------
Is PJ
Post #94377
Top
Posted: 21st August 2005 20:48

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
Indeed. These are just offsets in a save state. While this is very useful if you want to edit the save state to give yourself items or spells, it doesn't let you make any actual modifications to the game itself. It's a good way to practice, though.

Saved states work the exact same way as ROMs (in fact, hex editing any kind of file works the same way.) You have addresses and values organised into certain structures. For instance, from the document...

All the Espers in your Skills menu are listed in these addresses:
267C 267D 267E 267F
...

Basically, these are bytes. Each bit is an esper (go back a few lessons if this isn't familiar to you. tongue.gif ) When a bit is "on", you have the esper. When it's "off", you don't. All's you need to do is scroll down to address 0x0000267C and whip out your trusty calc.exe, set it into binary mode, and make the necessary changes.

However, this form of editing is absolutely useless if you wanted to, say, change the esper's graphics or the spells it teaches. You're limited to what the game can do as it currently is. Edit: Although the saved state might store that data somewhere, as it does end up loaded in RAM at some point. But whatever you edit will be erased as soon as the game reloads it, which will happen pretty much as soon as you close a menu or finish an attack in battle.

This post has been edited by Silverlance on 21st August 2005 20:49

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #94378
Top
Posted: 21st August 2005 21:23

*
Disciplinary Committee Member
Posts: 564

Joined: 2/7/2004

Awards:
Member of more than ten years. Member of more than five years. Winner of the 2005 100k post contest. 
Hey people, don't go like me trying to put some random numbers. It's a bad idea beleive me tongue.gif The game will probably freeze because it won't be able to load what you changed. Like trying to load a command that doesn't exist. That's what happened to me dry.gif

Brief explanation RL thumbup.gif

Maybe giving the list of bytes for each item/command/etc. would help?

This post has been edited by Zodiac on 21st August 2005 21:24

--------------------
Sayonara
Post #94382
Top
Posted: 21st August 2005 21:33

*
Cetra
Posts: 2,350

Joined: 19/9/2004

Awards:
Member of more than five years. 
The document Xdeath linked to has a few lists. wink.gif

Often, when a game is trying to pick something (say, a spell to cast), it'll do something like this...

X = Spell ID x 2
Jump to the code at address C3:1F30 + X

...and at C3:1F30, you'd have a list of addresses. The x 2 thing is because every address, usually, is 2 bytes in length. For instance you might have this at C3:1F30...

Code
C3:1F30 40 1F ; address 1F40
C3:1F32 68 1F ; address 1F68
C3:1F34 AA 1F ; address 1FAA
C3:1F36 04 20 ; address 2004
C3:1F38 28 20 ; address 2028
C3:1F3A 5C 20 ; address 205C
C3:1F3C 8E 20 ; address 208E
C3:1F3E  F0 20 ; address 20F0


So spell number 5 would be... 1F30 + (5 x 2) = 1F3A. At C3:1F3A, we have the pointer to code C3:205C, which, well, would be the code for spell number 5 in the game. Obviously, judging from the list, there are only 8 (IDs 0 to 7) spells in this game. If you cheat and edit the game to use spell ID 8, however, it'll read data from C3:1F40, which isn't in our list. In fact, it's code for spell ID 0. Oops! Potential crash!

Little head start on pointers and assembly. smile.gif

--------------------
"Judge not a man by his thoughts and words, but by
the quality and quantity of liquor in his possession
and the likelyhood of him sharing."
Post #94385
Top
Posted: 21st August 2005 21:43

*
Onion Knight
Posts: 48

Joined: 24/7/2005

Awards:
Member of more than five years. 
This hacking stuff is hard but im starting to get it
Post #94390
Top
Posted: 8th September 2005 19:55

*
Returner
Posts: 6

Joined: 8/9/2005


hello everyone!

this is a very interesting topic to me!

with some of your (collective) previous help, i have done a little bit of save state hacking. but i have a question regarding what we are discussing here.

are we examining the .srm files?

it seems like a rudimentary question, but i guess i should know that before trying to comprehend everything else.

so far, i have been able to use savestate hacking to:

give myself all espers
equip a few characters with weapons/gear
change a few character sprites

this is all new to me, so i admit to being a little slow here. thanks for all the help!
Post #95857
Top
Posted: 8th September 2005 22:32

*
Climbing Marle!
Posts: 1,640

Joined: 21/6/2004

Awards:
Member of more than ten years. Participated at the forums for the CoN's 15th birthday! Major involvement in the Final Fantasy V section of CoN. Member of more than five years. 
Dellenthor,

As I stated in the other thread, RL will not have internet connection for several weeks and will be unable to answer your questions. I will try my best to answer in his place.

Whenever anybody refers to ROM hacking, they are referring to the editing of the ROM itself, that is, the .smc file. IIRC, the .srm file is your game save file. Although save state hacking is a start, it will only edit that save state, and the changes will only be on that saved game.

When you hack the .smc file, every time you play the game, the changes are there (which can be a good or bad thing, depending on what the changes were). Hopefully opening up the right file will make things a little clearer for you. happy.gif

If you have any other questions, feel free to PM me or post again here in this topic.

--------------------
Is PJ
Post #95870
Top
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members: