Zelda Collector's Edition: WW demo timer and hacking

Discussion in 'Nintendo GameCube' started by twocows, Feb 2, 2013.

  1. twocows
    OP

    Newcomer twocows Member

    Joined:
    Feb 2, 2013
    Messages:
    47
    Location:
    Michigan
    Country:
    United States
    Hello. I've managed to replace the save data in the WW demo included with the Collector's Edition with a blank version created from the full version of the game. This allows you to start the "demo" from the very beginning with no restrictions (although you still cannot save, thus making savestates pretty much mandatory). If you then extract the WW demo using GC-Tool or an equivalent editor/extractor and convert it to a GCM using TGCtoGCM, you can play almost the entire game without a time restriction as well. The demo definitely works at least up until the Deku Tree (I tested it myself), but I noticed some of the endgame map files are missing, notably the ones for Hyrule, so presumably the entire game is not present.

    However, the problem is if you do not extract and convert the WW demo, the 20 minute timer is still in effect (presumably it's part of the Collector's Edition logic). I'm not competent enough to figure out how to disable or remove the timer, either in-memory using some sort of cheat or on-disc by debugging (is there even a GCN debugger?) and finding where the timer is located and disabling it. I thought I'd share my experience and maybe someone else can get it working or at least benefit from knowing what I did.

    Basically, the WW demo is stored on the CE disc as a TGC file. Apparently this is pretty similar to a disc image file and can be converted into a GCM image, which can be played on Dolphin or whatever. The WW demo image is very similar to the actual WW image, but it's missing the ending cinematic and some late-game areas as I said earlier. However, there is one addition: under the "res" directory, there is a new sub-directory called "ShopDemo," which contains "zelda_save.bin." This is almost identical to a large section of a memory card save of the full game, but it cannot be modified in-game since it's located on the disc.

    However, we can modify this data ourselves. I created a blank memory card save from the full WW game and extracted it to a GCI file using Dolphin's memory card manager. Using a hex editor, I copied the section from address 2040 and going for 1FC0 blocks up to address 4000 into a new blank file called zelda_save.bin. Using GC-Tool, I replaced that file in the extracted demo GCM image with my new one (not updating the filesize, as it should be the same anyway). Lo and behold, the demo works and shows three blank save locations, which lets you start from the beginning.

    I couldn't find a way to convert a GCM back into a TGC, but luckily it seems there was no encoding used on the disc itself for this data. I did a search on the full CE image for the first two lines of the original zelda_save.bin and found it at offset 419FD5E8. Replacing it there accomplished the same thing as replacing it in the GCM; upon loading the demo from the CE disc, it let me start from the beginning with three blank saves. However, there was one major difference: the 20 minute timer works when it's loaded from the CE disc, even with this done. Obviously the timer logic is included on the CE disc and not in the demo image.

    I'm not sure what I can or cannot include as an attachment, so right now I'm including nothing. All of the tools I've mentioned here should be easily found online and I've provided a way to reproduce my steps, should anyone want to. If someone can assure me it's acceptable, I'd be happy to upload my modified zelda_save.bin.

    Edit: Note that I am using the US version of the game. The hex editor I use is HxD.

    Also, just to clarify, the extracted and converted version of the WW demo works just fine. No timer or anything, since the timer logic is on the CE disc and not the WW demo image.

    Other things people may find interesting:
    The OoT and MM roms are stored as tgc images, which can be converted to gcm images (meaning you can play them standalone). The N64 roms can be extracted from those images (which you can also play standalone, but on an N64 or N64 emulator), though they glitch on the final cutscene unless you use a code (this is documented and already known).

    The NES roms are stored in a similar way; you can convert them to GCM images just like with the N64 ones. However, I don't know of any tool able to extract the NES roms from those images. But, you can do it yourself with a hex editor. On the original CE disc, Zelda 1 is located at offset 19A749E0 and ends at 19A949EF (20010 in length). Zelda 2 is located at offset 19C148E0 and ends at 19C548EF (40010 in length). The on-disc NES ROM data is very similar to a ROM dump of the original cartridges and the size matches perfectly, so it was pretty easy to find where the data was at. This technique seems like it can be extended to work with some other games with NES data (the bytes to look for are 4E 45 53 1A, the first four bytes of any NES-NTSC rom dump; the endpoint is usually where it would be in the actual NES romdump). Based on my own tests, this is probably not true, as the data appears to be stored differently in other games (such as Animal Crossing and Metroid Prime).

    The two N64 games work both on Dolphin and in an N64 emulator. The two NES games work on an NES emulator, but Dolphin fails at running them (that's a bug with their software, though; the standalone GCM images are still valid and would theoretically run fine on a GCN).
     
  2. Joe88

    Member Joe88 [λ]

    Joined:
    Jan 6, 2008
    Messages:
    11,191
    Location:
    NYC
    Country:
    United States
    so an almost complete copy was included on the collectors edition?
    im curious to see if anything was pulled or added to the retail copy
     
  3. twocows
    OP

    Newcomer twocows Member

    Joined:
    Feb 2, 2013
    Messages:
    47
    Location:
    Michigan
    Country:
    United States
    The final version of Wind Waker has the endgame areas I mentioned and the endgame cinematic. Most of the size difference is from the cinematic; it takes up about a third of the disc. I did not notice any other significant differences when comparing the contents of the two.

    As a side note, the demo is also missing the opening cinematic that plays when you start a new game (the one that explains what happened before the game takes place). I couldn't find any single file associated with this, so either I missed it or it's located in an updated version of a file present in both versions.
     
  4. Maxternal

    Member Maxternal Peanut Gallery Spokesman

    Joined:
    Nov 15, 2011
    Messages:
    5,210
    Location:
    Deep in GBAtemp addiction
    Country:
    Costa Rica
    Just a thought on finding part of the timer logic. It seems to me it's either counting down in minutes, seconds, or milliseconds. You could convert 20 minutes to either of those numbers and find it somewhere with the hex editor and change it. I'd assume the number would only need to show up once (except the case of it just being coded as something more commonplace like 20 minutes that is then changed to something smaller at run-time). There's also the possibility it could be done with something else like processor clock ticks but I'd assume the programmer wouldn't want to write something at that low a level if a more understandable method was available to him.

    I'm not sure if it would help you actually eliminate the timer but it might help you extend it.
     
  5. twocows
    OP

    Newcomer twocows Member

    Joined:
    Feb 2, 2013
    Messages:
    47
    Location:
    Michigan
    Country:
    United States
    I tried 20 minutes in seconds originally, but its hex representation (0x04B0 or 0xB004) is too common. I checked milliseconds, but even that shows up in a lot of places. I didn't bother with minutes. However, I think you're right in your later assumption, even if you think you're wrong. I don't know what language Nintendo uses, but I'm pretty sure that any reasonable way of implementing a timer function in C would, at the very least, compile down to something that uses processor ticks. And since we can only see the compiled code, that's probably how it's stored. If anyone knows how fast the GCN's processor ticks, we might be able to search for like the upper n bits of 20 minutes converted to ticks, where n is some arbitrary number (getting more specific in our search would lower our chances of finding the correct value, since it's possible it wasn't set to precisely 20 minutes, so we'd want to have a bit of leeway while searching).

    On the other hand, once it's found, it'd be trivial to change it to a higher value. How much higher, I'm not sure.
     
  6. xwatchmanx

    Member xwatchmanx GBAtemp's (Un)Ironic Weeaboo

    Joined:
    Feb 13, 2012
    Messages:
    6,310
    Location:
    Pittsboro, NC
    Country:
    United States
    This is very interesting... Reminds me of that Majora's Mask demo cart they had at best buy, etc. The ROM included was actually the full game, but the menu only allowed you to "select" certain parts of the game, with a limit on what you could do. Extracting and hacking the ROM actually allowed you to play the full game (with no other modifications, iirc).
     
  7. Maxternal

    Member Maxternal Peanut Gallery Spokesman

    Joined:
    Nov 15, 2011
    Messages:
    5,210
    Location:
    Deep in GBAtemp addiction
    Country:
    Costa Rica
    I think the processor runs at 486mhz which would be 486,000,000 ticks per second.

    I'm not sure if this is the actual number to be used. I've seen that in DM(L)'s code which I think is running on the Wii's ARM processor while in running in GameCube mode and it seems to use 243,000,000/128 to represent a second and I think that processor runs at 243mhz so it's like the counter actually increments every 128 clock ticks ... but, again, I think that's running on the ARM and I can't be sure it would work the same on the PPC since the GameCube ONLY has a PPC proc.

    Hope that helps a little at least.
     
    twocows likes this.
  8. twocows
    OP

    Newcomer twocows Member

    Joined:
    Feb 2, 2013
    Messages:
    47
    Location:
    Michigan
    Country:
    United States
    Well, I tried 20 minutes in processor ticks with either of those numbers and didn't find anything. I tried ignoring a few of the least significant digits and came up with nothing. I tried even more and came up with too many results.
     
    Maxternal likes this.
  9. Maxternal

    Member Maxternal Peanut Gallery Spokesman

    Joined:
    Nov 15, 2011
    Messages:
    5,210
    Location:
    Deep in GBAtemp addiction
    Country:
    Costa Rica
    Oh well. Who knows how it's actually done. For all I know there could have been something built into their SDK that automatically ran every minute and just counted up to 20. There are SO many ways it could have been done so I can see how it'd be hard to find.
     
    twocows likes this.
  10. twocows
    OP

    Newcomer twocows Member

    Joined:
    Feb 2, 2013
    Messages:
    47
    Location:
    Michigan
    Country:
    United States
    Yeah, pretty much. I can think of a few ways around it if I had the patience and know-how to debug GCN code. Like I said before, the image on its own doesn't have a timer, so the logic must be on the CE disc. It might be possible to examine what state data is still in memory just before the demo image is loaded. Or maybe just before, during, and after it transfers control back to the original game disc. Though if the latter approach was taken (disabling the code that transfers control back), there would still be those annoying beeps every five minutes or so (I didn't mention this earlier; I think every five minutes or so, it beeps, presumably to let you know how much time is remaining). I think the best bet would be to try and look at the state information just before or as control is transferred to the demo and maybe mess with that. It's way over my head, though.

    Edit: It might also be possible to take a snapshot of memory as the Nintendo logo flashes on the standalone image and just as the demo loads off the CE disc and see what's different.
     
  11. 2ndApex

    Member 2ndApex GBAtemp Advanced Fan

    Joined:
    Jul 12, 2012
    Messages:
    672
    Country:
    United States
    Don't GC games typically run at 60 FPS?
     
  12. twocows
    OP

    Newcomer twocows Member

    Joined:
    Feb 2, 2013
    Messages:
    47
    Location:
    Michigan
    Country:
    United States
    The framerate's related to video, I'm pretty sure it wouldn't have anything to do with an internal timer. That's just how fast it's spitting out frames (or maybe how fast the device is receiving, I'm not sure). The program runs much faster than how fast the frames are output.
     

Share This Page