ROM Hack Learning rom hacking on Metal Saga

Morm91 · Sep 4, 2014

Hello guys,

I'm currently trying a lots of things on Metal Saga which seems easy to hack, even for a beginner.

I've found a .bin file which contains every item name (H_ITEM_NAME.BIN) and i'm tring to code a tool for that. I have found the pointer table (at the beginning of the file), the first byte of the file is "4C", and every group of 2 bytes after seems to be a pointer (until ?).

The probleme is i cant figure where the table ends. I assume the first "4C" may help to find that but i've got no luck for the moment.

Here is the file :

FAST6191 · Sep 4, 2014

You don't have to learn to hack games using a Japanese game. It is quite acceptable to learn to hack on a game written in a language you are comfortable in. Kudos on making your own tools right off the bat though, many take a while before they bother.

Still looking at it I would say the 4c it starts with is likely not a small magic stamp, size marker or something like but but part of the pointers. Indeed if you flip the bytes you get 044c and at 044c is something that does not look like a pointer (though I am not sure it is shiftJIS like the rest).

Usually though you have three options

1) The first (or some other) value says that size of the pointer field/map/table/section, this can be all sorts of mathematical relations upon the actual length (relative, not counting the header,,,,) but it is there.
2) The pointer section is ended with a value (0000 is a popular one), if not the pointers then the text they deal in quite often does. In this case it seems text sections might end with 00*.
3) A basic ipso facto type thing. If the first pointer in this case points to 044c then basic logic says that the data at 044c is not a pointer, everything before it though. Naturally you can make programs/formats that differ here but it is basic and it works so the sensible programmer, or at least one in need of a basic format with pointers, is not going to do much different.

*be careful just doing a search for 00 as 00 is quite valid with a lot of the other 8 bits in a shiftJIS character.

Morm91 · Sep 5, 2014

Thanks ! And my main goal is to translate japanese games, so it's seemed logical to me to learn rom hacking with a japanese rom.

Anyway, I feel a little stupid but i finally figured it out. Like you assumed, the pointer table begin at the very beginning of the file, and the first pointer (044c) point indeed to something, so everything that is before this adress are pointers (100% sure now).

Thank a lot for your help (i'll probably post new questions here in the future).

my first success :

Morm91 · Sep 9, 2014

Hi guys, here i am again.

Lately, i've been trying to inject text in the file "arm9.bin". In order to do so, i've added some text at the end of the file, and i've tried to update a pointer with the adress of my new text (at the end, so), but it didn't work. That's odd, because i've succesfully update this pointer to other adress near the end of the file and it did work.
My guess is that the adress of the end of the file is written somewhere, and the pointers can't point to something that is beyond this... What do you think ?

Normmatt · Sep 9, 2014

Morm91 said:
Hi guys, here i am again.

Lately, i've been trying to inject text in the file "arm9.bin". In order to do so, i've added some text at the end of the file, and i've tried to update a pointer with the adress of my new text (at the end, so), but it didn't work. That's odd, because i've succesfully update this pointer to other adress near the end of the file and it did work.
My guess is that the adress of the end of the file is written somewhere, and the pointers can't point to something that is beyond this... What do you think ?

You can't just expand the arm9 binary.... you'd need to adjust the section addresses as that area is usually cleared on boot and used as ram.

FAST6191 · Sep 9, 2014

What Normmatt said. You can edit the relevant header entries to extend the RAM size, for some games it might even work. For most though you might find that it needed the space and will not work properly now, or may even get overwritten by something else.

Editing text in the binaries is horrible, as a ROM hacker working on the DS you hope you never have to do this (or in the overlays which have much the same problems). When it happens though I usually find there are three options, with a few more out there ones as well.

1) You do the full memory check, read, extension and more stuff. Really not fun but will work if you do it right.

2) Find some free space in the ARM binary. My favourite places to look at the wifi error strings in the binary, a game this early would not have wifi though. If there are wifi error strings then they might have it in several languages, generally be quite long and easily replaced by something more useful for you. If you have to break a bonus mode or something to have it fit then maybe consider that.

3) You edit the translated text to fit in the space you have, or help it fit in there by some means. Time to bust out the thesaurus if you are editing text (rather than using residence I might use home, or in your case rather than using appartement go with chez). You can cheat a bit here and maybe do things like dual tile encoding and multi character encoding. You can also go further and find that if a game uses say 16 bit shiftJIS then convert the decoder to use an 8 bit encoding instead. If you have repeated sections then maybe consider pointing to the same thing where you can.

The further option could be use the GBA expansion pack. It is present in DS mode and if effectively 32 megabytes of fairly high performance RAM if you want it to be, depending upon the flash cart you are using this might be more like 16 megabytes and might be read only if you have to use the NOR. Given you have all of about 4 megs on the DS none of those are especially horrible scenarios to my mind.

You could also try compression and decompressing it to free space in memory. http://gbatemp.net/threads/unofficial-desmume-build-unused-memory-finder-tool.349332/ has something that might help with that (and 1) for that matter).

Thankfully I usually find it is only menus, maybe character names, some place names or something quite small that appears as text in the binary. Not always, and you have crazy things like Rockman EXE OSS that has everything in overlays (making over 1000 of things), but usually it is just small names and small pieces of text you can afford to mess around a bit.

Morm91 · Sep 10, 2014

Thanks for the answers !

As you say, the texts that i've found in arm9.bin are mostly menus and place names, every item names and dialogues are in specific files that i've manage to edit properly.
So i think i will go with a mix of your solution 2 and 3. The game does use 16bit shiftJS, and i've succesfully used 8bit encoding instead, so for most of the texts menu, editing the translated text to fit in the space i have will work. For the others, i'll find some free space in the arm binary.

Morm91 · Sep 11, 2014

I've found in the arm binary a huge block of '00' bytes, but i don't know if this is some free space or something that the game uses somehow

FAST6191 · Sep 11, 2014

How big is huge? If it is up in the tens of kilobytes range then it is a good bet for something that is free to use. If it is only a couple of dozen/hundred bytes then I would be more careful, however basic checking is easy enough (use it and see if something gets corrupted) so it might be worth a go. The reason you probably want to more careful with shorter things is 00 is quite valid, and by virtue of being the first number the alpha/transparent value, for images and if someone does one binary include (the text you are editing now for instance) they are usually OK with doing two.

It could be scratch space, decompression space, seed space or something else where it would be reserved for use in the game but with the DS using C and C++ you have proper memory management and such techniques tend to go out of fashion when you have such options. Why it would be there I am not sure, being an earlier game though they might still have been getting the compiler/linker properly sorted.

Morm91 · Sep 12, 2014

There is about 640 bytes, and they are just between 2 blocks which contains text (in shiftJIS), so i'm pretty confident about using it

Morm91 · Sep 12, 2014

Hello !

Today, i tried to do a little work on another game : Metal Max 3.
But I've already met a problem: the only files in the file system of the rom are named "pack_data.pak". Thoses seem to be collections of files with probably some compression. In crystalTile2, i can't find any japanese text in the entire rom, but when i open one of these data_pack.pak in Notepad++, here's what i get :

That's strange, because when i look at it in the Hex editor of notepad++, it has not the same content and length as when i open it in CT2.
How is it possible ? Does notepad++ decompress automatically the files or am i missing something ?

Auryn · Sep 12, 2014

Try click there

Morm91 · Sep 12, 2014

Ok i tought only shiftJS could display japanese characters, i'm feeling a little stupid...
Thanks anyway

GHANMI · Sep 12, 2014

My only gripe with Crystaltile is that I could never get it to use TBL files properly (everything goes "unknown byte" dots), or how to change that font to a monospaced font since the colored highlight square is often way off the actual kana/kanji/ascii letter.

And btw since you can see the Japanese text perfectly fine here (and the lines make sense, there's punctuation and perfectly readable Japanese sentences) then it means that at least the text portion is not compressed.

Morm91 · Sep 15, 2014

Yep, i've succesfully changed some text with roman characters, that's not my probleme right now.
No, the big issue here, is that i have to find a way to unpack the "pack_data.pak".

FAST6191 · Sep 15, 2014

Sounds like you have one of those "all subfiles in one big archive" games, it has been seen a few times (phoenix wright, touch detective and the first Tony Hawk title being some other examples). Recall that pointer stuff you opened the thread with? It is usually like that but done for more files, and probably also having some file names as well as maybe some flags to indicate compression. If I have time later today I will have a look at it but it should not be too troubling, bonus is as you are already making your own tools you have the harder part sorted -- pulling apart the files is easy (you can do it with a batch file and something like filecutter) but putting it back together and sorting the pointers is the big trick.

hackotedelaplaqu · Sep 15, 2014

GHANMI said:
My only gripe with Crystaltile is that I could never get it to use TBL files properly (everything goes "unknown byte" dots)

I guess you already know it but did you press CTRL+T after loading table in CT2 ?

If that doesn't work, open tbl file in hex editor and delete first unused byte.

Morm91 · Sep 16, 2014

FAST6191 said:
Sounds like you have one of those "all subfiles in one big archive" games, it has been seen a few times (phoenix wright, touch detective and the first Tony Hawk title being some other examples). Recall that pointer stuff you opened the thread with? It is usually like that but done for more files, and probably also having some file names as well as maybe some flags to indicate compression. If I have time later today I will have a look at it but it should not be too troubling, bonus is as you are already making your own tools you have the harder part sorted -- pulling apart the files is easy (you can do it with a batch file and something like filecutter) but putting it back together and sorting the pointers is the big trick.

I've found the filenames, they are just at the beginning of the pak file, but no luck on finding the pointers for the moment... But I think the first byte indicate the number of files in the pack.
And the graphics seems to be stored in .tex files, which i don't know anything about.

Normmatt · Sep 16, 2014

Morm91 said:
I've found the filenames, they are just at the beginning of the pak file, but no luck on finding the pointers for the moment... But I think the first byte indicate the number of files in the pack.
And the graphics seems to be stored in .tex files, which i don't know anything about.

This is a log of what the game does to read a file from that pack file

FS_ConvertPathToFileID(0x027E356C,"/pack_data.pak");
FS_OpenFileFast(0x027E3910,0x02115C20);
FS_SeekFile(0x027E3910,0x00000182,FS_SEEK_SET);
FS_ReadFile(0x027E3910,0x027E3998,0x00000008);
FS_SeekFile(0x027E3910,0x00061C25,FS_SEEK_SET);
FS_ReadFile(0x027E3910,0x027E3960,0x00000010);
FS_SeekFile(0x027E3910,0x00061C25,FS_SEEK_SET);
FS_ReadFile(0x027E3910,0x022AB780,0x000000B4);
FS_CloseFile(0x027E3910);

seems simple enough. Not sure how it originally seeks to 0x182 but the definately looks like {u32 size, u32 address} to me.

Morm91 · Sep 16, 2014

Thanks Normmatt !

But do you know which "pack_data.pak" is red in this log ? Because i don't find any at 0x027E356C...
And how do you get this log ? With the debug version of NO$GBA ?

I definitely still have a lot to learn

ROM Hack Learning rom hacking on Metal Saga

Member

Techromancer

Member

Member

Former AKAIO Programmer

Techromancer

Member

Member

Techromancer

Member

Member

Well-Known Member

Member

Well-Known Member

Member

Techromancer

Well-Known Member

Member

Former AKAIO Programmer

Member

Similar threads

Popular threads in this forum