 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
1 user currently in Rom Hacking:  hukka |
| Acmlm's Board - I2 Archive - Rom Hacking - Secret of Evermore Debug Menu |
 |  |  |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| User | Post | ||
|
GuyInSummers Newcomer Level: 4 Posts: 1/8 EXP: 221 For next: 58 Since: 07-29-05 Since last post: 15 days Last activity: 10 hours |
| ||
| Hey there. I and some other hackers have recently taken to the Secret of Evermore rom in hopes of finding long-lost relics. It's been known for a while that the text remained for a debug menu (this, specifically), but almost ten years later nothing had actually been found. Until now. Sort of. All addresses and information in the following refer to the NTSC version. Our first attempts were to find where the current menu ring is stored in memory and edit that to access the debug menu. Unfortunately, accessing the debug ring crashed the game. Turns out the code that would load its contents and the pointers to their functionality has since been removed/ravaged. We discovered quite a bit about the menu code in the process. See this document - http://staff.starmen.net/pkhack/soe/ntsc/soe_E8344dump.txt - for reference. This is also worthwhile. That document describes quite a bit about how the menu system works. In fact, using this data, we were able to see the names of debug menu items loaded properly, and even the nifty sprites those items use. (I'll update with some screenshots in the morning.) Unfortunately, it doesn't go far towards finding the debug menu, as all of the menu-constructing code itself seems to have been killed. If the actual routines of the menu could be found, we could go into RAM and manually set up the debug menu easily enough (though it should be noted that even if you do populate the debug menu in RAM, the game forces you to skip past it... we'll have to find out how to beat this). If we wanted to actually get a debug menu up and working with just a patch's worth of data, most of it would have to be reconstructed from scratch, but it's doable. What's important is that we were feeling particularly insane and decided to start making some menu options point to anything that looked like the start of an ASM routine. We did this for several hours. Yup, we're insane. But believe it or not, we found half of the debug menu routines. 96A7 - 96B7 ROM Creation Date 9796 - 97B0 Debug: Turn off both backgrounds 97B1 - 97C9 Debug: Show background 1 only 97CA - 97E2 Debug: Show background 2 only 97E3 - 9801 Debug: Show both backgrounds 983E - 98BF Debug: Mode 7 Flight 98C0 - 98E5 Debug: Heel Those addresses are as they would appear (flipped, of course) in the menu function pointer tables. To get a hex address, add 0xE0200; to get a SNES address, add $CE0000. While there are no longer (without modification) any pointers to these routines, the routines themselves are fully functional. The ROM Creation Date, by the way, is 8/3/95 at 10:29:34 AM, so niftily enough, we're nearing the game's tenth anniversary. Debug: Heel is particularly awesome. You can target most anything - boy, dog, enemies, levitatable rocks - and the target will appear at your feet. Cool, if not creepy, to use on Thraxx's arm. Also, in an attempt to find one of the still-hidden functions - Debug: Select map - we came across other coolness. We've identified a RAM location - $7E0ADB - that stores the number of the current map. They follow the order of the map list found in plain text in the rom at 2C8200. By some crazy methods (such as taking off wih Debug: Mode 7 Flight, changing 7E0ADB, and landing in the corner of the world which puts you back to whenceever you took off), we've been able to load any map with this - except one. The 0x15th map is "Brian's Test Ground." Ooh, ahh. We've confirmed that the map is still in the game, but we can't get it to load fully, if it even still can. However, if you change the code at CD0BC to a LDA $04 (A9 04 00) and the code at 109163 to a LDA $15 (A9 15 00), and load the game, instead of the intro you'll get to walk on an empty collisionless Brian's Test Ground. It's a black void with a giant smiling face made of lights.  That above tweak is my friend's work - the former LDA lets you walk on the intro screen, the latter loads Brian's instead of the intro map - but as I had no hand in that one I couldn''t guess the reasoning or what code surrounds it. So anyway, that means there are some mysteries still hidden: Debug: Show thud balls on path , Debug: Create a monster, Debug: Select map, all of the magic, and how to properly load Brian's. If anybody can come up with anything on these, it'd be awesome. At this point I can't think of anything besides brute-force searching and pointing to more potential ASM routines, but perhaps somebody has another idea. By the way, somebody should find how the two-byte pointers to sprites mentioned in one of those documents are expanded to full pointers so we could at least see the magics' sprites. This post was written at 3:30 AM, so I'm sure I've forgotten some details and that most of it doesn't make sense. Also, we've got some cool pictures relating to it that we can put up; I'll do that in the morning. I need sleep now. (edited by GuyInSummers on 07-29-05 04:21 PM) |
|||
Heian-794 Red Super Koopa Level: 44 Posts: 761/896 EXP: 611014 For next: 271 Since: 06-01-04 From: Kyoto, Japan Since last post: 21 days Last activity: 10 days |
| ||
| GuyInSummers, do you read GameFAQs? Quite a while ago, one of the programmers (Brian) used to hang around there and talk about SoE. You might want to see if you can dig up some information from him, if you haven't already. | |||
MathOnNapkins Math n' Hacks Level: 67  Posts: 2084/2189 EXP: 2495887 For next: 96985 Since: 03-18-04 From: Base Tourian Since last post: 1 hour Last activity: 32 min. |
| ||
| dis is swet. j/k. Amazes me that all this is still in the rom. with a debuggin mode I thought some of the gameplay would be less glitchy. (SoE is the only ) (edited by MathOnNapkins on 07-29-05 04:32 AM) |
|||
|
GuyInSummers Newcomer Level: 4 Posts: 2/8 EXP: 221 For next: 58 Since: 07-29-05 Since last post: 15 days Last activity: 10 hours |
| ||
Alrighty, here are the images I mentioned. This is what the debug menu would look like if we could reactivate it, though the order may not be the same. The only option I didn't add to this list is ROM Creation Date, since it didn't have a Debug: prefix, but its icon is just a white D. And yes, Debug: Heel's icon is a walking dog. Mind you, this debug menu in the screenshot is actually just the config menu with different name/icons. Here's how it was done. The table at E9B20 was used to determine where the config ring gets loaded in ram. I went there - 7E0810 - and altered the number of items in the menu, then switched all the contents to debug menu contents. The reason this doesn't actually use debug menu functions is that it's still using the config ring's function pointer table. See, Debug: Select Map and Targeting both have the action byte 0E in the table at E8344. So that gets fed to the config ring's code, which uses 0E as an index for the function pointer table - but again, the config ring's table, not the debug ring's. Now, if you actually try to populate the debug ring instead of the config ring with these items, for whatever reason, the game forces you to skip by the debug ring. Even if we beat that skip though, there's still no code to use the action byte as an index to a debug function pointer table. And even if we -wrote- that code, I'm fairly certain they killed the function pointer table the debug menu would've used.  And here's some debug menu functionality. I've used Debug: Heel on Thraxx's body parts to slightly disturibng effect. This was done by altering the config ring's function pointer table (starts at EA644) and replacing a pointer to "Player Status" code with a pointer to Debug: Heel code (which is at E9AC0). The heel code was found through crazy brute-force searching, which I fear is the only way we'll find more debug menu items, unless somebody has another idea.  And this is Brian's Test Ground sans objects, done with the method mentioned above. If anybody can find a way to actually load this map that'd be awesome. And no, I never knew Brian himself actually popped into message boards now and then, but it seems he's done it a few times. He never mentioned the debug menu though, it seems. He left an email address at one forum, so I might try that, however slim the chances are, and at the least I'll make a post at Gamefaqs. Thanks for bringing that to my attention. |
|||
PeterGriffinTheMan Deddorokku Level: 29  Posts: 287/425 EXP: 137018 For next: 10867 Since: 03-02-05 Since last post: 4 hours Last activity: 6 hours |
| ||
| Pretty cool, now how did you do the monster creation thing. I want to try it. Is it hard to do? | |||
|
GuyInSummers Newcomer Level: 4 Posts: 3/8 EXP: 221 For next: 58 Since: 07-29-05 Since last post: 15 days Last activity: 10 hours |
| ||
| The monster creation thing? If you mean what you see in the first image, it doesn't actually do anything. But if you want to see it for yourself, open up the config ring, then go to 7E0814 in RAM, and change it to 00. Then select Targeting to refresh the menu. The nifty spinning ball icon should replace one of the items on the menu, and it'll be called Debug: Create a monster. But that won't change what it actually does. If you don't have an emulator that lets you change RAM while playing, I suggest the latest version of Geiger's awesome SNESx9 debugger. If you mean what's happening in the second picture, I'm not actually creating those body parts, I'm just forcing them to move to my feet. The actual code for Create a monster hasn't been found, but the code for Heel has. To use that for yourself, go to EA644 and overwrite the two bytes there with CO 98, then try to view your Player status; Debug: Heel will be used instead. It's pretty sweet. You can strand Tar Skulls with it. And when a mosquito stings you and flies out of reach, just tell the little jerk to heel, then beat the living crap out of it. |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| Acmlm's Board - I2 Archive - Rom Hacking - Secret of Evermore Debug Menu |
| | |
