Language…
21 users online: Aguiar Salsicha,  AmperSam, com_poser, DixyNL, elegist, figuiDOS, Green, Hammerer,  Losoall, OnlySpaghettiCode, ppp9q,  Saphros, Serena, Silver_Revolver, SMW Magic, Sweetdude,  Telinc1, The_Uber_Camper,  Thomas, tOaO, VSmario90 - Guests: 281 - Bots: 249
Users: 64,795 (2,374 active)
Latest user: mathew

General Findings?

I recently became so interested in ROM hacking that its all I do, but im having trouble in the area of even finding the text tables and making ROM and RAM maps, so my question is to the creators of the ram and rom map here: where did you find this data?

Give Mario some love?~
I'm only experienced in SNES hacking, and a little bit of NES hacking.

For SNES hacking, all I've did is using the snes9x debugger. If you don't know how to use it, you might want to read my snes9x debugger tutorial.
For NES hacking, I've used the FCEUX debugger.

As you can see, debuggers are the way to go!
My blog. I could post stuff now and then

My Assembly for the SNES tutorial (it's actually finished now!)
Ok so using a debugger(no$gba or no$gmb) on a gbc game what do i look for?

Give Mario some love?~
To make any ROM or RAM maps, you must find some ROM or RAM addresses.

I found some addresses in Super Mario World and in Mario Paint. These are SNES games, so their ROM images contain 65816 machine code. I found all of my addresses by reading a disassembly of the machine code. By reading the disassembly, I can understand how the original hackers programmed the ROM to use addresses. I submitted some of my addresses to the ROM Map or RAM Map of SMWcentral, and I created an address map of Mario Paint.

This is an example of code in Mario Paint that I found and commented. I learned about RAM $00044c, ROM $008555, and other addresses in Mario Paint by studying this code.

Code
                ;;; jsl subroutine
                ;;; returns A = random number
                ;;; 
                ;;; Returns a random number in the accumulator. Yields a
                ;;; uniformly random number in range 0..255. (The upper
                ;;; bound of 256 comes from ROM $008555.)
                ;;; 
                ;;; There is a bug. Every 55th call to this subroutine
                ;;; returns the 16-bit value from RAM $000524..$000525,
                ;;; instead of a random number.
                random:
/*01e20c 8b*/           phb                     ; Push data bank,
/*01e20d 0b*/           phd                     ;   direct page location,
/*01e20e da*/           phx                     ;   X,
/*01e20f 5a*/           phy                     ;   Y,
/*01e210 08*/           php                     ;   processor flags.
/*01e211 f4 00 00*/     pea.w   $0000
/*01e214 ab*/           plb
/*01e215 ab*/           plb                     ; data bank: $00
/*01e216 f4 00 00*/     pea.w   $0000
/*01e219 2b*/           pld                     ; direct page: $0000..$00ff
/*01e21a c2 30*/        rep     #PM | PX        ; 16-bit AXY
                        ;; Table $00044c contains 55 random numbers, each
                        ;; 2 bytes. RAM $00044a is a number from 0 to 54.
/*01e21c ee 4a 04*/     inc.w   $044a           ; go to next random number
/*01e21f ad 4a 04*/     lda.w   $044a           ; position => A
/*01e222 c9 37 00*/     cmp     #$0037
/*01e225 90 06*/        bcc     +6 /*$e22d*/    ; branch if A < 55
                        ;; We need more random numbers, so stir the table.
                        ;; 
                        ;; Subroutine returns A = 108. When we fall through
                        ;; to $01e22d, we get Y = 216. But the table has only
                        ;; 110, not 218, bytes; because $044c + 216 => $0524,
                        ;; we return A = RAM $000524, which is outside the
                        ;; table of random numbers!
/*01e227 20 98 e2*/     jsr.w   $e298           ; stir the table
/*01e22a 9c 4a 04*/     stz.w   $044a           ; go to first random number

/*01e22d 0a*/           asl     a               ; A * 2 => Y, because
/*01e22e a8*/           tay                     ;   table has 16-bit values
/*01e22f b9 4c 04*/     lda.w   $044c,y         ; random value from table => A
/*01e232 28*/           plp
/*01e233 7a*/           ply
/*01e234 fa*/           plx
/*01e235 2b*/           pld
/*01e236 ab*/           plb                     ; restore pf, Y, X, dp, db
/*01e237 6b*/           rtl                     ; return from $01e20c


Sometimes, when I need help to understand the code, I write assembly patches to modify the code. If the subroutine at ROM $01e20c returns random numbers, then the game must act more predictably if I would rewrite the subroutine to always return the same number.

I wrote this assembly patch to always return zero.

Code
;;; mario-paint.i
.memorymap
        defaultslot 0
        slot 0 start $8000 size $8000
.endme

.rombanksize $8000
.rombanks 32

.background "../mario-paint.sfc"


Code
;;; mp-no-random.s
.include "mario-paint.i"

;;; Cause jsl $01e20c to return a constant value,
;;; not a random value.
.bank $01
.orga $e20c
.section "patch" overwrite
        php
        rep     #$20            ; 16-bit A
        lda     #0
        plp
        rtl
.ends


When I applied this patch and played the game, I verified that the subroutine at ROM $01e20c returns random numbers, and I observed parts of the game that use random numbers. This helped me to comment that subroutine, and to find the addresses which that subroutine uses.

There are other ways to find addresses. The only other way, which I have used successfully, is to write a program that examines a data structure in the ROM image, and reports the addresses of parts of that structure. My dump-tms.rb program is an example.

Originally posted by The Haunted Muncher
I'm only experienced in SNES hacking, and a little bit of NES hacking.

For SNES hacking, all I've did is using the snes9x debugger. If you don't know how to use it, you might want to read my snes9x debugger tutorial.
For NES hacking, I've used the FCEUX debugger.

As you can see, debuggers are the way to go!


Originally posted by zKiP
Ok so using a debugger(no$gba or no$gmb) on a gbc game what do i look for?


I have no debuggers for those platforms, but I have used a debugger for other platforms.

If you have no other ideas, then you can stop the program, use the debugger to change the value in any RAM address, continue the program, and observe the effect. For example, if you have 23 coins, then you might find a 23 in RAM, and change 23 to some other number.

Hacking Super Mario World since 28 February 2009
SMWDISC
Ok i think i understand know... thanks! :)

Give Mario some love?~
I am highly experienced in the Genesis format, so I may be able to help you.

Start by looking for the graphics (if there is any which isn't compressed). Even find empty data (can be FF) and look after the FF's because there may be something you are looking for.

As for texts, use a hex editor called Translhextion. If you were looking up the word FROG, you would press Ctrl+K and type FROG. You may find many different results for this e.g. 16, 22, 1F, 07 or 82, 8D, 8A, 83.
Data Crystal has some valuable information, though some of the pages may be a bit dated.

And of course good ol' romhacking.net has some great game-specific documents that may fit your interests.

Originally posted by Boingboingsplat

Data Crystal has some valuable information, though some of the pages may be a bit dated.

And of course good ol' romhacking.net has some great game-specific documents that may fit your interests.

I have no interest in that. but thanks anyway ;) I have about 20% of a pokemon blue rom map finished! Thanks to all.. Halloween Joy!

Give Mario some love?~