Sega Saturn hacking docs (part 8)
Dirty way of finding ASM routines
(Last Updated December 25, 2002)
List of updates
-December 25, 2002 - First release
Introduction
First of all, as with all my hacking docs this is a WIP (Work-in-progress). I'm sure there will be info that will be inaccurate. But that's what you people reading this are for (so you can help me fix my mistakes ;), right?
Please, if you want to copy portions (whole or in part) of this document, please, at least email me and ask. Linking is fine, just mention where the original doc was found.
Getting Started
You'll need a working Commlink/action replay setup to follow along. You should already have a good understanding of SH2 asm, memory locations, tile formats, text formats and pointers before continuing. If you feel somewhat confident, read this anyways since you may understand enough to understand what I’m talking about.
Requirements
- a PC
- An emulator capable of running the game you’re screwing around with, with memory editing capabilities OR a Commlink/Action Replay/Saturn setup
- You should already know where the font/text, etc. is loaded in memory
Simple is Fast
It's funny how people (myself included) forget that simple approaches can sometimes reap huge rewards. This is especially true with Saturn hacking.
The basic idea behind my method is based on the following facts:
1) In SH2, values and pointers to values for a function are stored directly after the function.
2) Base pointers to wram, vram, and sound ram are always sh2 addresses.
3) Pointers to anything non-wram will always be cached-though addresses. So they will always look like this: 0x2???????
4) All games like to align data to at least the closest 0x1000th. I don't think this is a system limitation, but more because it’s easier to work with.
Make sure you’ve already spent the time finding the data (in memory) that the routine is reading/write to. For fonts, consider looking for where it’s loaded in wram and vram. It’s always a good idea to write these addresses down for future reference and not just for finding asm routines. Lastly, make –lots- and –lots- of notes! You’d be amazed at how easily one can forget about [insert name of function here] after a brief couple week break from hacking.
The Method
First of all, start the game running in Commlink mode (if using a real Saturn). Then go to a point in the game where you know the routine is being used (e.g. For font/text, go to an area where dialogue, etc. is being displayed).
Now search area 0x06000000-0x06100000 for the address (or addresses) you wrote down. If no matches were found, try the lower wram (0x00200000-0x00300000) as well. If you find a match, first make sure it’s aligned to an address divisible by 4. If it passes that test, check to see if there are any wram pointers before or after (e.g. 0x06000000-0x06100000). If it passes both those test, next try modifying the address. I find the best way of doing it (without getting crashes) is by adding 4. Or if you’re dealing with font pointers, add a value that’s half the size of the tile (E.g. For 4BPP 16x16 tiles, add 0x40 or 64).
Check to see if anything visibly has changed. For text you may have to flip through to the next scene of text before you find anything. If nothing has changed, change the address to its original value, and continue searching. When something finally changes, make note of the bytes before and after the pointer (because you’re going to have to figure out which program file it’s from) and write down the SH2 address you found it at.
Decoding what you found
Now figure out which file that data came from. Doc #7 “Finding Data” should explain this in more detail. Once you’ve found the file, find the exact start of the file in saturn memory and write down the address. Use this address as the origin when you use something like sh2d to disassemble it.
Now go to the memory address you wrote down earlier (where you found your pointer) in your disassembled file. Check to make sure it matches up properly with what you found. If it does, look at the code above and that should be your routine.
Special Notes
Text routines for jap games tend to follow the same format. They’ll usually look something like this:
mov.w @rX, rY ; rX would hold the address of the current character
extu.w rY, rY ; truncate to word-size
shll2 rY ; This can change depending on the tile format
shll2 rY ;
add rY, rZ ; rZ would be the font address
Yes, this is generalizing quite a bit as there’s more done than this. But, it helps you find what you’re looking for.
Graphic drawing routines can be a little more difficult to find unfortunately. For instance, the Langrisser series (among a few others) generate a type of shadow around the character, convert it to 4BPP and copy it to vdp2 memory. Some games draw font as sprites (vwf games tend to do this) and others just convert the font to 8x8 tiles and generate an appropriate tile map.
Questions
If there's an important topic I may have missed feel free to email and ask.
Special Thanks
-The Saturn fans that keep the system alive
-Artemio Urbina for his hacking help
-SkankinMonkey for being ereet
-Sega for making one of my all-time favourite systems.
Cyber Warrior X
cwx@softhome.net
Source: http://www.cyberwarriorx.com
