Friday, February 29, 2008

Willow Hack PoC complete!

My Proof-of-concept hack is done, and I now have a Willow ROM that allows saving current progress by pressing SELECT-B and resuming the saved game by selecting PASS WORD in the opening screen or CONTINUE after losing all your HP.

So far the hack works well on FCEUltra. I tried on NesterJ for the PSP but it crashed every time I tried to save my progress. Maybe it doesn't have support for battery backed RAM?

On a side note I called in sick, because I'm feeling really lousy, but apparently not enough to stop me from sitting in front of my PC for 6 hours straight.

Right now I'd like to change the intro screen text to "CONTINUE" instead of "PASS WORD", but I really should be getting some rest.

Once I figure out how the screens are set up and how text is drawn I'd like to put int a real save game selection screen, with allowance for 3 save games, showing info about each save game.

UPDATE: Just tested it on NesterJ version 1.20 beta, and it works perfectly! The version that the hack wasn't working with was 1.1 RM.

Download the patch and source here

Thursday, February 28, 2008

Willow Hack News

I'm using a cross assembler for the SNES, but since the 65816 processor mostly extends the 6502, getting it to work for this project was easy.

Well, mostly.

I spent most of the morning trying to get the assembler to produce a valid IPS file, but I'm glad I did.

The samples I downloaded for compiling SNES patches from asm files had scripts for checking addresses when creating patch files.

I was getting symbol not found errors when trying to subtract a hex address from a variable, but had no problems adding (or any other operation, I suppose).

The error went away when I decided to use base 10 to represent the value I was trying to subtract.

So, instead of



@STEP2 = @STEP1 - $C000


It was



@STEP2 = @STEP1 - 49152


I decided to hijack the password routine and copy a bit of code from the "new game" routine. For now I just loaded up the SRAM with some default values.

It almost worked.

I had a black screen with Willow in it. Switching to inventory and back brought the screen colors to life but the palette seems messed up, though I think I have some idea of how to fix this.

With the code analysis practically complete and most critical variables identified, I can now focus on writing code. The assembler/patcher toolchain makes things much easier as all I have to do is edit the assembly code and re-run my compiler script.

Already I'm halfway to my goal of a Proof-of-concept hack, with a full hack not too far off.

Although state-saves have all but made this hack useless, it's been a fun ride. Maybe I'll put a little how-to together, for the sake of posterity.

Tuesday, February 26, 2008

Useless Hacks Update

I have managed to isolate most of the code that takes up the password entry, testing and stats loading for the NES game Willow. I've also identified where stats are saved in memory, how Willow's map and screen position is stored, and the all-important events and inventory flags.

Coding a replacement function that will load data from SRAM should be pretty easy, and free up a lot of ROM space in the process.

I have yet to figure out how the screens are loaded, so I can load my own custom save game screen, but that's not really part of the Proof of Concept hack.

Just to make things interesting I'll change the PASS WORD text into LOAD GAME.

That's the easy part.

Saving for my PoC requires me to tap into the main game joystick routine and save everything to RAM once a combinaion (SELECT+B) is pressed. However in a real hack it'd be nice to have save points.

Adding code to a NES ROM is a bit more problematic because of it's memory restrictions and the memory mappers designed to handle this.

You can't just add code to another bank if the original bank doesn't have any space to give up. Since only one bank is mapped at any time, you'd have to push some registers or save in RAM and switch banks to run code from another bank.

I hope to do the loading code tomorrow, that is, if Patapon doesn't distract me long enough.

Last farewell

A faint sensation, not altogether unpleasant, a feeling of coldness deep inside, while bathed in the warmth of a setting sun, while looking out upon a tower white cliff to a golden orange horizon, with feathery clouds lost in the distance.

A sadness that resembled a deep yearning for something that would, now, be forever out of reach, threatening to drown me in a torrent of tears. I was borne aloft only by the unending beauty of all that I had seen and experienced in just my two visits to this world, and yes, this beauty also brought tears to my eyes.

I felt Aslan's hot breath upon my back as I gazed for one last time upon my beloved Narnia.

It was bittersweet... yet somehow... perfect.

The last sentence was paraphrased from an interview with Anna Popplewell, regarding the film Prince Caspian being her last for The Chronicles of Narnia, and was the inspiration for this entry.

Wednesday, February 6, 2008

NES Hacks: Coin Tricks

Here in the Philippines, we had the Japanese version of the Nintendo console, known as the Family Computer (aka Famicon), instead of the dull-grey clunky unit with excessively large cartridges known as the Nintendo Entertainment System.






The Famicon design featured joysticks that were permanently connected to the console and had a port at the front which was used for the optional light gun. This port was usually covered by a red plastic cap when not in use.

There was something mysterious about that port. It has little pins in it, and wat I remember is that my uncles and cousins would take a 10 centavo coin and run it across the ports pins with Contra plugged into the game slot and the unit turned on. After a few tries they would get a level select screen.

It's a wonder how anybody figured out how to do this trick, let alone that it worked at all. The regular way to do this utilizes a variation of the Konami Code.

It would be real nice if someone could come up with a solid explanation of why it works. Unless someone already has, and I haven't found the right keywords to google it.

Useless Hacks: Willow on the NES

Willow was the first RPG I played. From then on I was hooked.

It was developed by Capcom and based on George Lucas' movie of the same name, though with a somewhat different plot. Despite (or because of) this its been hailed as one of the few movie-to-game translations that are arguably better than their silverscreen counterpart.


I didn't own the cart, I borrowed it from a neighbor. It was the Japanese version, and although it did not use any kanji, my Japanese skills were non-existant back then, leaving much of the plot to guess, making most of the gameplay trial and error. It was very time consuming moving back and forth between towns, talking to every NPC more than twice, just to get the story to move forward.

The thing was, and I still had a blast playing it. The background song during password entry would play in my mind for some time (this was probably because it took so long to enter the password, being in Japanese) .

Recently I took up playing the game in English, just for the heck of it, and reliving fond memories of childhood.

I read somewhere that the password entry system was used in order to cut costs and development time. I believe the original plan was to have the data battery backed, just as Zelda did.

This is where the hacking comes in. I thought, why not add a save game feature to Willow?

Now, in a real NES the cart would have a set of RAM with batteries attached. It would be just another address accessible by memory. In an emulator, a header in the .nes file tells the emu that it has battery backed RAM, by convention this starts at $6000.

So, just modify the header to include battery backed RAM and poof! It became Koko Crunch!

When the emulator loads the ROM it looks for a corresponding file in the battery-backed-data folder, usually called SAVE or something. Using FCEUltra, it looks just like a raw dump of $6000 - $7FFF. For efficiency, the emulator only updates this file whenever another game is loaded or the emulator shuts down.

I tested this with your typical "Hello World!" text hexed into the RAM dump and booted the ROM. Using FCEU's debugging capabilities, I looked into RAM memory and there it was.

That was the easy part.

For a Proof of Concept Hack:

  1. Modify the header to make it have battery-backed RAM. (Done)
  2. Find where the stats are located.
  3. Redirect the password routine to copy battery-backed RAM to game stats.
  4. Implement a hack in the game joytick routine to detect an unused button combination (Select-B?) and jump to a routine that saves current stats into battery-backed RAM.

For a complete hack a load and save screen should be implmented, and multiple save slots would be nice.

So far I've found where the password is checked, but nothing too in-depth as I am currently disassembling from the emulator. I've also found the main game joystick routine, so I should be able to insert a jump to my own routine to trap the special button combination for the PoC.

Hopefully I can insert the needed code and (later on) screens without having to expand the ROM.