For our example, were looking at Tengai Makyou Ziria. For TMZ, it’ll load into one of the MPRs the bank location in RAM it wants to write to (in my case it was MPR5, I’m not sure if it matters, although it did load MPR6 with the next bank). You then call the subroutine at 0xE009. In your trace you can then look for reads from location 0×1808 or just search for the location in the MPR it’s writing too (in my case I looked for 0xA000).

One thing I’ll check into and look for is if you can specify how many blocks to load as it loads in 0×800 (2048) blocks. I’ll update this later when I find out…

I do want to warn though, for finding stuff like this, it requires a lot of patience and a lot of guess work (as you’ll see below). By no means will this work for every game but I hope this will help somehow.

For this I recommend you read the document located here : DMA Transfers, Compression, and You

This document describes how were going to find the font but using a different game called Filerna. I’ll of course explain here how I’m going about finding the font as well.

For our utilitie I recommend Geiger’s Snes9x Debugger located here : Romhacking.net, click on Utilities, from the category dropdown select Special Emulators/Debuggers, for Platform dropdown, select Super Nintendo and click ok.

And also ZSNES (it’s easier to dump the VRAM with this). ZSNES

For our tile editor, I recommend YY-CHR located at Romhacking.net, search for YY-CHR.

Load up the game in ZSNES and play past the start screen up to the first screen with the talking head.

Go ahead and save using a save state. Now load this up in YY-CHR. Go ahead and start scrolling and seeing if you can find anything and play around with the tile modes.

If you read the above log/tutorial you’ll know that $20C13 is where VRAM starts, $C13 is where bank 1 of RAM starts (bank $7E), $10C13 is where bank 2 of RAM starts ($7F).

Looking through this you’ll notice that the font is not in RAM (it was worth a shot…) but it is located in RAM at $2AC24 set to tilemode 2BPP GB (I’ve noticed quite a bit of games use this for fonts)

So now we have a choice. We can use this to find our font decompression routine or we can use this to possibly find the text decompression routine. I chose the latter so that’s what we’ll go with

Alrighty, so now let’s make an educated guess. Let’s assume our table starts at $00 = 0, $10 = G, $20 = W, etc etc.

This could possibly be wrong but we’ll go with this for right now.

So let’s think about how we’ll go about this.

First we create our table so we’ll know what the possible values of our characters will be. The first value is usually a space, so make sure to do set $00 = (space), then start with the rest of the table. It is possible it’s not a space but most likely if you don’t see a space character within the table itself, it’s the first character (as is with this game since if you notice there are no empty blocks for where a space may reside).

Second we find a line that is easy for us to read and use our table for.

Third we trace up to the showing of this line from some starting point.

With this in mind, let’s go!

Alrighty, go ahead and close ZSNES if you haven’t already, we’re done with this for right now.

Instead fire up Geiger’s SNES9X and load up SMT If (it breaks upon opening a rom so click Run). Play up to the face again. Looking at this line I couldn’t read a lot of it or match it up to our table above. So go ahead to the next one. Looking at this we have a nice long run of characters we an match up with. So let us reset and the fun start…

For our options in SNES9X, uncheck the squelch part (which set it’s so if something occurs again, it won’t show up, basically used for loops). You could uncheck the split but I wouldn’t recommend it as it’ll chunk up the files and this can get quite huge.

Once you’re up to the first dialogue entry of the talking head, click Step Into. Now click the CPU checkmark under logging. This’ll start logging from where were at. We clicked the step into so we can try to keep the file down in size. Now click Run and hit the button to advance the dialogue as quick as you can. Once the dialogue shows up for the second entry click the CPU checkmark to uncheck it.

Now here’s where Notepad++ comes in handy. Go ahead and load up all of the files in Notepad++. Now let’s look for the letters we see in Snes9x. We’ll look for the A in ANATA. ANATA = 25 39 34. We can probably guess that it’ll be loaded into A, and the first 2 bytes will be set to 00, the rest to our letter. So let’s look for A:0025. Search for this in all open files. Now look for something storing this letter…

Our first hit is $03/94BC 8D 04 05 STA $0504 [$03:0504] A:0025

If we look above, we can see it’s loading it off something that is indexed by Y and actually comes up as $8025.

So we think this may be a possible match, let’s look for $03/94BC to see if it repeats…

Search for the next one using a normal search. We should hit upon $03/952B B7 B4 LDA [$B4],y[$20:E1AA] A:E19C
Look at the next line to see what A will be after this load. Well look at that, it’s $8039! (Which changes to $0039 further down…)

Let’s search the next one…

Now we see $4000. No big deal, let’s keep going as sometimes there’s codes embedded to tell the loop what to do.

Next one is $8047! I think we found our decompression loop!

Now here comes the hard part… figuring out how it works and writing our own utility to decompress the scripts…

And with this I bid everyone a found farewell! Till next time!

Looking around I noticed there really aren’t too many tutorials/howto that go into the assembly side of hacking games.  I’m hoping with this blog that I can go into some of how this is done.  I’m only talking about how to figure out compression/encryption schemes for graphics and text though.  I’m in no way talking about cracking a game to get around copyright protection so if you’re looking for that or asking how to go about doing it, you might as well leave as I can’t help you there.

For the best place to find documents relating to assembly hacking (and rom hacking in general), check out Romhacking.net. I’ll be referencing some of the docs here pointing out the techniques I learned from them that we’ll apply.

For the first game we’ll be looking at the font and text in Shin Megami Tensei If… for the SNES by Atlus.

I recommend checking out Romhacking.net and looking at the docs there on the SNES. Also, I’m not teaching how to romhack here (although I may explain some things) so I definitely recommend looking at some of the newbie guides on there.