Post subject: Need help creating SRAM
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
I'm trying to create some SRAM for Panzer Dragoon Saga in Yabause as Bizhawk doesn't emulate the Saturn's backup memory. Basically if you have a save file of Panzer Dragoon 2 it will give you ingame currency in Saga. For every hour you play you get 100 ingame currency. Obviously if you can put thousands of hours onto the save file you could end up with outrageous amounts of money from the get go. I've been able to locate memory addresses in the player data in Panzer Dragoon 2, and have been able to hack 32k hours into the game. However, exiting the game and starting it up again will cause the game to show what the time played should be. So there must be other timers in the game. However, after a couple of days of looking I've had no success. So I'm needing help and advice to do it.
MESHUGGAH
Other
Skilled player (1918)
Joined: 11/14/2009
Posts: 1353
Location: 𝔐𝔞𝔤𝑦𝔞𝔯
Never played that game or console. So... " For every hour played in Zwei, you will start out Saga with that much Dyne mutiplied by a hundred. For example, if you played Zwei for 8 hours, you will start Saga with 800 Dyne.": - You probably just found the location of the text's string variable or a temporary -integer and that's why it defaults to the original value. - The value probably in a different form. Since you get 100 Dyne for 1 hour, I wouldn't be surprised of a very simple "hours elapsed" kind of counter. You should compare 2 save files, one with 0 hours and one with 1 hours. If you upload it I could spot out the difference.
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
MESHUGGAH
Other
Skilled player (1918)
Joined: 11/14/2009
Posts: 1353
Location: 𝔐𝔞𝔤𝑦𝔞𝔯
First of all I'm unsure that it's a valid way to create a save file by hex editing (or poking memory values), loading it and then resave it, but let's see: List of the 12 byte difference: 0x13B AF - 73 = 60 (minutes?) 0x16D 18 - C3 = 171 0x16F 7E - 2C = 82 0x17B 00 - 01 0x17D 00 - B8 0x17F 01 - B8 0x18B 00 - 01 0x18D 00 - A8 0x18F 00 - 8B 0x19B 00 - 0E 0x1BF 00 - 0A 0x1BB 00 - 08 0x1DF 00 - 05 0x20B 00 - 01 0x297 00 - 20 0x29F 00 - 50 0x30F 00 - 50 0x357 00 - 01 0x37F 00 - 11 0x40F 00 - 03 At first glance I don't smell any checksums and I guess you actually played with the game, as those values changed from 00 to some higher number seems to indicate it. You should try and first just change the bolded ones one by one, I think the game will only checks one of the address. edit: - There's also a debug mode, did you tried using it? https://tcrf.net/Panzer_Dragoon_Saga - Comparing with a GiriGiri save file found on google first result (different game but similar structure), 0x13B (unknown type), 0x17B (maybe number of hours), 0x17F (unknown type) seems to be more likely the one you want to change.
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
It definitely has a checksum. Changing the first bolded address has no effect. Changing the other ones you mentioned causes the save file not to work. Like you mentioned my plan was to poke the ingame variables in an attempt manipulate the ingame clock. Sadly, I don't have the technical know how to calculate checksums in a savefile. However, I have found the breakdown for a Panzer Dragoon Zwei file EDIT: This is another save file I have http://s000.tinyupload.com/index.php?file_id=07519461113384712299 Here's the player data that's on it.
MESHUGGAH
Other
Skilled player (1918)
Joined: 11/14/2009
Posts: 1353
Location: 𝔐𝔞𝔤𝑦𝔞𝔯
Did you tried changing the date using the RAM backup parser? 1. Load file 2. SH2, 64 3. Modify date (4th column) 4. Save Your date values for 0, 1 and 2 hours played: 07-11-2018 15:47 01 37 CE AF 07-11-2018 14:47 01 37 CE 73 07-11-2018 20:11 01 37 CF B7 These are bytes 0x135 0x137 0x139 0x13B According to the forum of this tool:
bit 31..23 - year from 1980 (negative years are supported by ssbkm, i accidentally managed to get circa 1720, not sure how they will be interpreted if ssf) bit 22..19 - month (starting from 1, setting 0 sometimes gives a december of the previous year, but i haven't tested this) bit 18..14 - day (starting from 1) bit 13..9 - hour (starting from 0) bit 8..3 - minute (starting form 0)
Also I still don't see checksum in the file nor mentioned on that forum.
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
I don't see how changing the Saturns internal clock will help. Given that it's ingame time that tracked in the player data, and not how long the game has been powered on for. The Saturn Parser tool I used is a beta tool and doesn't allow for any actual editing. https://github.com/hitomi2500/ss-save-parser/releases/tag/0.9.5 The is a more upto date version of it, but it requires an IDE. Which I'm not able to use. https://github.com/hitomi2500/ss-save-parser
MESHUGGAH
Other
Skilled player (1918)
Joined: 11/14/2009
Posts: 1353
Location: 𝔐𝔞𝔤𝑦𝔞𝔯
- Don't have nor the ROM or the emulator (nor experience of said console), so I'm still just telling my observations from the 3 (+ one public girigiri) save file. - Based on this, and not seeing a checksum in the file, and you saying that Changing the first bolded address has no effect. Changing the other ones you mentioned causes the save file not to work., it really doesn't has a checksum If I were in your place, I would check the trace log around saving a file and loading a file. Since we are just comparing the difference of the result of code applied to store (save) your in game stats, these are all the informations I can give you. edit: I would also probably use a speedhack to get fixed times elapsed to make comparing differences easier. Making the same intervals (0:00:00 time, 0:01:00, 0:02:00) would make it easier to identify the desired addresses. Also using a speedhack would make at least the SRAM more legit instead of manually hex editing values that might not result in the same SRAM as the former one. Also, I saw the columns are editable, didn't tried actually saving it (as I don't have said files). Try to manually change the addresses I written in my last post (which would be the same as doing through the IDE if it would working).
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
I don't know how I would get multiple separate files with everything the same except being one hour apart given the nature of the game. However, I did get five separate files that were the same. Even initialising the internal date and time to be the same each time I powered on the system. Except with each one being a minute part and here's how they compared... PDZ - 0 minutes 0x160 0D = 20 0x160 0F = F9 0x170 0D = 01 0x170 0F = B0 0x180 0D = 00 0x180 0F = 36 0x1B0 07 = 01 0x200 0B = 01 PDZ - 1 minutes 0x160 0D = 28 0x160 0F = 4E 0x170 0D = 0B 0x170 0F = 75 0x180 0D = 07 0x180 0F = F6 0x180 0F = 00 0x200 0B = 00 PDZ - 2 minutes 0x160 0D = 2B 0x160 0F = 5E 0x170 0D = 11 0x170 0F = E8 0x180 0D = 0E 0x180 0F = 39 0x1B0 07 = 00 0x200 0B = 00 PDZ - 3 minutes 0x160 0D = 1B 0x160 0F = 3A 0x170 0D = 15 0x170 0F = 3A 0x180 0D = 15 0x180 0F = 62 0x1B0 07 = 00 0x200 0B = 00 PDZ - 4 minutes 0x160 0D = 2B 0x160 0F = 5E 0x170 0D = 28 0x170 0F = DC 0x180 0D = 1C 0x180 0F = C6 0x1B0 07 = 01 0x200 0B = 01 ___ As you can see the time is stored across eight different values. However, I don't see anything incrementing by a logical amount, which leads me to believe that it's likely storing a frame count. The problem is there isn't any TASing features in Yabause or SSF to make sure I know what the exact frame count should be. If anyone can find the formula that links all these or even wants me to provide more data to assist them, then it would be most helpful.
Editor, Player (69)
Joined: 6/22/2005
Posts: 1050
I think that the 0x180 addresses may actually be the time ones, with F being the lowest byte, D being the next lowest, etc. If you compare the 1-, 2-, 3-, and 4-minute values with the 0-minute value, you get differences of 1984, 3587, 5420, and 7312 (decimal). These are close to multiples of 1800. The formula for the trend line that OpenOffice.org gives me is 1781.7x + 121.5; x is minutes. If you use that to calculate the minutes in the save files you posted earlier, you get close to 1 hour and to 2 hours 15 minutes (I'm assuming that's what 2:15 means in that screen shot). Please double-check my calculations, though. EDIT: Here's a prediction to check if I'm correct: 1337 minutes = 22 hours 17 minutes = 0x24B8C8 (1337 * 1800). Try setting 0x18B to 0x24, 0x18D to 0xB8, and 0x18F to 0xC8. IDK the game, so I hope that time doesn't cause some type of overflow. Or try 0x167088 to get 13 hours 37 minutes.
Current Projects: TAS: Wizards & Warriors III.
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
I'm a bit confused, what save file are you referring to?
Editor, Player (69)
Joined: 6/22/2005
Posts: 1050
The tinyupload links.
Current Projects: TAS: Wizards & Warriors III.
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
Is that the one with 2:15 on it?
Editor, Player (69)
Joined: 6/22/2005
Posts: 1050
I developed the formula using the info you posted here. Then I verified that the 1-hour number from here and the 2:15 number from here make sense in the formula.
Current Projects: TAS: Wizards & Warriors III.
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
I modified the file and got this screen indicating it failed a checksum
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
Update on my efforts. I decided to look for memory addresses in Bizhawk and found two related to the timer. One which starts from the power on, and the other which only increments when you start a new game. The addresses relating to the ingame timer were 0x0731D2 = ingame timer 1 0x0731D3 = ingame timer 2 0x0731D0 = ingame timer 3 0x0731D1 = ingame timer 4 You can't jump max them out however, as the ingame timer would roll over to these weird negative number. I could get the timer to max out at 999 hours and 59 minutes. I then tried to look for these same values in Yabause using MHS, but I just couldn't find them. Mainly because MHS isn't as good as using RAM search in Bizhawk and I can't use frame advance and save states to home in on these values. I then had a look at the SRAM file for Bizhawk and noticed is looked similar to what a Saturn save file should be. Except without FF inserted into every other column. So I manually inserted FF in every even column. Thinking it was a surefire solution. Only for it to fail a checksum. So if any Bizhawk coders are reading this. In a future update please emulate the Saturns backup memory correctly like Yabause and SSF does.
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
Finally managed to do it, it was hard, but I got there in the end.
Editor, Player (69)
Joined: 6/22/2005
Posts: 1050
How does the checksum stuff work?
Current Projects: TAS: Wizards & Warriors III.
creaothceann
He/Him
Editor
Joined: 4/7/2005
Posts: 1874
Location: Germany
Mitjitsu wrote:
Finally managed to do it, it was hard, but I got there in the end.
https://www.explainxkcd.com/wiki/index.php/979:_Wisdom_of_the_Ancients
Mitjitsu
He/Him
Banned User
Joined: 4/24/2006
Posts: 2997
Dacicus wrote:
How does the checksum stuff work?
I didn't calculate the checksum, I just poked the ingame variables. As mentioned earlier in the thread. The Bizhawk developers need to emulate the SRAM correctly to make it more portable, and from looking at how Bizhawk structures save files it shouldn't be that hard to do.