Hex walkthrough

Share ROM offsets and general DKC hacking documentation

Hex walkthrough

Postby rainbowsprinklez » April 16th, 2020, 8:41 am

Stage names

Now, I think I am most comfortable with hex editing, but I am by far not an expert. There are many people more worthy here on the atlas. I just want to spread some of the basics. Please correct me where wrong! This is just how I understand things, so everything might not be correct.

I come from a dkc1 background, so this applies to dkc1. Many of these principles can be applied to other games though!

The basics: Hex editing (Stages)

This is what a hex editor looks like
Spoiler!
Image

https://i.imgur.com/RWRoeFQ.png

See those 6 numbers/letters to the left? This is the address, also known as the offset. Hex is short for hexadecimal, the numbering system used here. Valid hex digits are in the range 0-9, and a-f. The lefthand two digits of the 6 are what's known as the bank number. Some data pointers (not all mind you) are in the same bank. If we look at the stage name for Jungle Hijinx, we find it in hex here:
Spoiler!
Image

https://i.imgur.com/0a3Usmk.png

If you notice, the final character looks a little funny. This is because the game needs to tell when an end of line marker is reached. The game does this by setting bit 7. Open up windows calculator. Set it on programming mode. Hit Hex and type f3. Hit the bit toggling keypad button
Spoiler!
Image

https://i.imgur.com/OeIdbwm.png

You should see a screen like this:
Spoiler!
Image

https://imgur.com/a/r4I2xeq

Click on the underlined 1 to turn off the 7th bit (0 indexed). Using this in reverse, you can easily set up your own names!
But wait... My name is too long to fit in the given space... That is ok! So far we covered how to change the endpoint - just set bit 7! Now let's talk about changing the start point. If we examine Jungle Hijinxs, that name beginning at 0x38a6e2 ('0x' means we are looking at a hexadecimal offset). Remember how I said some data pointers are in the same bank? Well, this is an example of that! The last 4 digits are the important part: a6e2. But, since this is SNES, these data pointers are stored in little endian format. So this pointer is stored as e2 a6. See the accompanying picture below.
Spoiler!
Image

https://i.imgur.com/CcZEFmU.png

If you are worried about space, there is unused German text right before this. These pointers must be within the same bank, in this case bank 0x38, to work.

This is only text. Not everything works in the same manner, but Cranky/Candy/Funky all use a very similar approach.

For various useful offsets (and some not so useful ones), check here https://docs.google.com/spreadsheets/d/ ... sp=sharing or look into Giangurgolo's docs!

Please post any questions below.
Veteran Venturer
Bananas received 108
Posts: 568
Joined: 2016

Re: Hex walkthrough

Postby Cyclone » September 9th, 2020, 5:03 pm

edit

Nevermind I get it.

But how did you find the pointer array?
Expedition Leader
Bananas received 559
Posts: 1211
Joined: 2008

Re: Hex walkthrough

Postby rainbowsprinklez » September 9th, 2020, 10:09 pm

That one was simple to find. Others not so much. I guess it depends on whether it's in the same bank or not. In this case, I searched for the start of the string. I searched for e2 a6. A more fine tuned way to search is searching for a6 e2 a6, but this won't always work. The other way is to reverse engineer it from ASM code.
Code: Select all
$B8/9F08 8B          PHB                     A:0000 X:0002 Y:0008 P:eNvmxdIzc
$B8/9F09 4B          PHK                     A:0000 X:0002 Y:0008 P:eNvmxdIzc
$B8/9F0A AB          PLB                     A:0000 X:0002 Y:0008 P:eNvmxdIzc
$B8/9F0B AE 67 05    LDX $0567  [$B8:0567]   A:0000 X:0002 Y:0008 P:eNvmxdIzc
$B8/9F0E BD 7A A1    LDA $A17A,x[$B8:A17A]   A:0000 X:0000 Y:0008 P:envmxdIZc
$B8/9F11 85 4C       STA $4C    [$00:004C]   A:A1E2 X:0000 Y:0008 P:eNvmxdIzc
$B8/9F13 A9 B8 00    LDA #$00B8              A:A1E2 X:0000 Y:0008 P:eNvmxdIzc
$B8/9F16 85 4E       STA $4E    [$00:004E]   A:00B8 X:0000 Y:0008 P:envmxdIzc
$B8/9F18 A6 3E       LDX $3E    [$00:003E]   A:00B8 X:0000 Y:0008 P:envmxdIzc
$B8/9F1A BD 7A A0    LDA $A07A,x[$B8:A090]   A:00B8 X:0016 Y:0008 P:envmxdIzc
$B8/9F1D 29 FF 00    AND #$00FF              A:0321 X:0016 Y:0008 P:envmxdIzc
$B8/9F20 0A          ASL A                   A:0021 X:0016 Y:0008 P:envmxdIzc
$B8/9F21 A8          TAY                     A:0042 X:0016 Y:0008 P:envmxdIzc
$B8/9F22 B7 4C       LDA [$4C],y[$B8:A224]   A:0042 X:0016 Y:0042 P:envmxdIzc
$B8/9F24 85 4C       STA $4C    [$00:004C]   A:A6E2 X:0016 Y:0042 P:eNvmxdIzc


This code tells me that the pointer array is at 0xb8a1e2, or 0x38a1e2 if you prefer.

EDIT***
The first way only finds the index of the array you are looking for. The ASM route tells me the startpoint of the array.
With the first way, you can find the startpoint of the array too, but that requires guess and check.

Maybe Kingizor or someone else knows a more elegant way.
Veteran Venturer
Bananas received 108
Posts: 568
Joined: 2016

Re: Hex walkthrough

Postby Cyclone » September 10th, 2020, 12:29 pm

How did you know where the start of the string is in the ROM? Jungle Hijinx for example? Where did you get e2 a6 from?

Did you search for the text in a Hex Editor and find the offset that way? For example search the ROM for the ASCII characters that make up the Name of a Level.

Sorry for sounding stupid...

Thanks.

edit. I want to overwrite the german text. Where does the data start/end?

Start =
End = 38A508
Expedition Leader
Bananas received 559
Posts: 1211
Joined: 2008

Re: Hex walkthrough

Postby Cyclone » September 10th, 2020, 7:42 pm

also you said some pointers are in the same bank. How large is a bank?
Expedition Leader
Bananas received 559
Posts: 1211
Joined: 2008

Re: Hex walkthrough

Postby rainbowsprinklez » September 11th, 2020, 12:55 am

Cyclone wrote:How did you know where the start of the string is in the ROM? Jungle Hijinx for example? Where did you get e2 a6 from?

Did you search for the text in a Hex Editor and find the offset that way? For example search the ROM for the ASCII characters that make up the Name of a Level.


That's exactly how I initially found that. To find the above I used Geiger's SNES debugger.

Cyclone wrote:edit. I want to overwrite the german text. Where does the data start/end?

Start =
End = 38A508

You should be able to find the start yourself. Just look in a hex editor. Also, your end is off by 1. The byte you specified doesn't have the high bit set, which should be a red flag

Cyclone wrote:also you said some pointers are in the same bank. How large is a bank?


https://en.wikibooks.org/wiki/Super_NES ... 20Megabits).
Veteran Venturer
Bananas received 108
Posts: 568
Joined: 2016

Re: Hex walkthrough

Postby Cyclone » September 11th, 2020, 10:30 am

I need some clarification. Is Value E5 at 38A4F8 or at 38A4F9?
Also I'm not sure how far to go with the German text. I highlighted the last word I could understand, before that I can't read the text.
See screenshots
I know these are stupid questions. Thanks for your patience.
Attachments
German.jpg
HEX.jpg
Expedition Leader
Bananas received 559
Posts: 1211
Joined: 2008

Re: Hex walkthrough

Postby rainbowsprinklez » September 12th, 2020, 1:10 am

Good practice is to set your hex editor 16 wide. Or 32. I like 16. 32 is used to see tilemaps, so it pays off to get used to that too. Having anything else makes data hard to follow. Everything in hex is 0 based. One shortcut you could've done if you aren't sure is highlight it. Your hex editor tells you at the bottom

That is in fact the first word. You can verify that by seeing that a7d5 is the pointer for Candy's Save Point in English
Veteran Venturer
Bananas received 108
Posts: 568
Joined: 2016

Re: Hex walkthrough

Postby Cyclone » September 12th, 2020, 1:03 pm

cool thanks. That does make thing easier to read!
Expedition Leader
Bananas received 559
Posts: 1211
Joined: 2008


Return to Documentation

Who is online

Users browsing this forum: No registered users and 1 guest