|
What happened to Rocket's "Sonic the Hedgehog Hacking Guide" and Cyan's "Sonic 1 Operation" pages you ask? Both have merged to create the ultimate Sonic hacking page on the net. With both brains put together, you can be assured that you will not find a better source of info anywhere! So check it out!
Some exclusive information from Robert
Flory.
Here is what he wrote:
I have discovered an area in the Sonic 1
Special Stage that contains
_working_ 1-up icons. The area is a bit glitched, since it does
reside
outside the valid maze area, but you can collect the items,
proving that the
1-ups are (somewhat) implemented in the final game and do indeed
work,
and could mean that the other items ( " W " icon, Zone
1, 2, and 3 icons) would
work as well, if someone could figure out a way to place them in
valid maze
space.
I have included a .ZIP containing a
Genecyst save state of the area,
plus a text file describing the area, and explaining a couple of
theories I
have regarding this area.
Pretty interesting, eh? Click here to download the savestate.
TPLaing has sent in loads of level editing info. This page is currently being rushed to get done so it can be released to the public. Therefore, not all the stuff he sent has been posted. It will eventually. Thanks for the info!
Introduction |
For many years, people have tried to hack Sonic 1 in various
ways. Seemingly, though, the only result that has been produced
is that of breaking the game. Sonic 1 hacking therefore lost
popularity around a year ago.
However, these days, Sonic 1 hacking is making an inevitable yet
essential comeback, and that is because people have seen the
light. They saw the light back in May 1999, when Cyan's Sonic 1
Beta Hoax was released. Because this was hacked in a very
specific way, people realised that it was possible and began to
hack the game themselves once more.
However, of all the information out there, none will give you the
information on how to change the palette in a very exact way,
turn on and off the intros, change the text on the level select,
and modify the music's instruments. These are just some of the
many things you will learn by reading this file.
Also, all the hacking methods and addresses in this guide are
known to be correct, and when hacked as stated, the result is
achieved.
Please note that we gained most information on the Sonic 1 ROM
by hacking the ROM ourselves, and did not reference any other
information. However, any reader submissions will be added to
this page, and credit will be given by listing the submitter's
name and e-mail address in square brackets after the information.
If you want to put some of this info in one of your hacking
guides, then please e-mail either of us for permission. We shall
require crediting. If we don't get credited, then.... well, SEGA
will be the first to know! :-<>
Hacking Basics |
As hacking the game involves directly editing both the data and the compiled source code, you will need to make changes to your Sonic 1 ROM. Also, this hacking info has only been tested with the US version of the Sonic 1 ROM. It hasn't been tested with a European or Japanese ROM. Don't expect it to work with these.
Firstly, make sure your ROM file is in .BIN format. If it is
in .SMD or something else, then load the ROM in Genecyst, then go
to the CPU menu, point to DUMP, then select ROM. This will
convert the ROM to a .BIN format, saved on your hard disk as a
file called ROM. You'll have to add the .BIN extension on
yourself by renaming the file. You could also use a conversion
program to change the format. The DUMP feature in Genecyst is a
conversion in itself -- although you have to change the file
extension to .BIN afterwards, it still converts the ROM.
Note that, as some people may believe, simply changing the file
extension is not converting the file, but just changing its name.
This isn't sufficient to allow hacking.
Now, you've got your version of Sonic 1 in BIN format (give it
a more descriptive name if you like -- SONIC1.BIN) and it is
ready to be hacked. But firstly, MAKE A BACKUP COPY!!! Just call
it SONICHK.BIN or something, but if you go changing the original
ROM, then when you break it, you won't be able to go back on your
mistakes.
Every time you accomplish a large hacking task successfully, then
create a numbered copy of the file. For instance, Cyan's hoax ROM
is called SONICHX9.BIN -- the 9th copy of the hoax ROM. The older
versions worked OK, but were not as complete. For instance,
version 6 didn't feature Green Hill at night.
Now, using a HEX editor, load your BACKUP ROM, and observe. The first 17% or so of the ROM is mainly code, and the remaining portions are data. Code is very vulnerable to blast-hacking, but with careful editing, the best features are possible. If you are using HexEdit for Windows, then before use, go to the OPTIONS menu, and click DISPLAY. Make sure you select CHARACTER COUNT from the dialogue box. It also helps to have the HIGHLIGHT WORDS, and WIDE CURSOR options selected. Using the base converter, enter the hex address you want to hack, and convert to decimal. Then do a JUMP TO LINE, BYTE and put the decimal value in.
Note also that all addresses and data in this guide (unless otherwise stated) are in HEX.
Terminology |
Throughout this guide, many seemingly alien terms may be used.
Whenever a HEX value is specified, if it contains lower case
"x" characters, then those characters must be
substituted with a value. For instance, if there was a HEX value
104BD219xx20xx, then the x characters could mean something. By
replacing those with a valid number, then valid data can be
inserted.
Zone names in the game are often shortened to abbreviated
versions:
GHZx = Green Hill Zone Act x
MZx = Marble Zone Act x
and so forth...
With regard to Scrap Brain Zone, you will find there are 3 acts
mentioned, but no Final Zone, and 4 acts on Labyrinth Zone. That
is because Scrap Brain Zone act 3 is actually Labyrinth Zone act
4, and Final Zone is actually Scrap Brain Zone Act 3.
Hex Editing |
Many people don't understand how to hex edit and may get lost.
Hex editing is nothing more than changing the contents of a file,
byte by byte. To do this, you need a program called a HEX EDITOR.
There are many editors, but by far the simplest, and most
reliable of them all is HexEdit for Windows.
A lot of people get confused with regard to the addresses. People
cannot understand why you see things like 00D4 and 0019047. Well,
the 0s to the left of the number mean nothing. Just like in
decimal -- if someone writes you a cheque for $10, then it's no
good adding a few 0s at the left of the number, because you get $00010,
which is still the same thing. However, if you add 0s at the far
right of the number, then clearly it becomes much more profitable!
However, it is usual to add 0s to the left of the number to make
it a certain length -- for instance, addresses for the 68000 are
generally 6 digits long.
If you study the image below, you will see the screen is split up
into 3 sections. The first is a list of addresses down the side.
Most HEX editors have this address in HEX, but HexEdit for
Windows uses decimal.
However, you will note that the numbers go up not in steps of 1,
but in steps of 16 (steps of 10 in hex). This is because each
line contains 16 bytes. Some hex editors will have fewer or more
bytes on one line.
Therefore, the first line contains addresses 0-F, the next line
contains addresses 10-1F, and the next line contains addresses 20-2F,
and so on.
The second area of the display contains a list of bytes. Each
byte requires 2 hex digits to represent it. Therefore, this area
is 32 characters wide. You can click on the byte you wish to
edit, and type the new hex value.
The third area of the screen is a text representation of the
bytes. This is so that you can see if the ROM contains any text
strings. In most cases, you can directly edit this area too.
By using the JUMP TO BYTE function of the hex editor, the cursor
is automatically placed on the byte of your entered address,
without having to count across the line.
Basic Structure |
These are the sections that make up the ROM file. Most addresses are to the nearest multiple of 16, although some are byte-exact:
HEX-ADDRESS FUNCTION
00000-01B58
Header and
initialisation code. Also exception table.
01B59-1DC0D
Main
program code and literal data such as palettes.
1DC0E-21277
Data who's
function is unknown.
21278-21835
Sprite
handling data and code.
21836-21B7D
Data
relating to above code, and emulator code, including breakpoint
definitions.
21B7E-2BBFF
Sonic's
sprites. Hack here to change the artwork.
2BC00-6292F
Essential
data. Includes level maps, some graphics, and other important
data.
62930-64A45
Block angle
information. Some of you refer to this as "solids".
64A46-65463
Unknown
spaced data.
65464-66B15
Unknown 16-bit
data.
66B16-66D45
Unknown 8-bit
data.
66D46-681C7
Graphics,
especially sprites for levels. May be block mappings for sprites.
681C8-?????
Level
initialisation information.
?????-6B095
Block
mappings, esp. 8x8 to 16x16 mapping, for levels.
6B096-713CB
Object
positions for each level.
713CC-719CF
Blank space.
Part of above? Part of below?
719D0-796C5
Sound
programs. The code, and data, that is executed to play a tune.
796C6-*END*
PCM data
for SEGA intro sound. 8-Bit MONO.
Game Engine |
Before you go any further, you may need to know
the basics on the game engine.
Sonic 1's game engine is in three distinct parts. The first part
deals with objects that do something, such as collapsing
platforms, moving platforms, TVs, rings, etc. These are usually
sprites, and are defined in the level as a list of positions like:
RING, 10, 10
TV, 50, 72
MOVING_PLATFORM, 100, 127
Of course, they are not defined in plain text like this, but that
is the general idea behind the object handling system.
The second part of the engine is the motion engine. This deals
with how Sonic and various objects move around the level. It
deals with gravity, friction, etc. This part of the engine not
only allows objects to interact with the world (such as being
pushed, and falling) but also allows Sonic to interact with the
objects, so objects can have surfaces you can walk on. This part
also works very closely with the third part.
The third part of the game deals with the levels. A level is a
static thing, with no moving parts, interactive objects, or
anything. All a level consists of is graphics and different
angled blocks to walk on.
A level is defined on a grid. Each square of the grid can either
be empty, or contain a block. There are a number of blocks in
each level, and each has different properties. A block is 16x16
pixels in size, therefore the average level is something like 300x40
blocks. A block is built up of 4 smaller graphics blocks (tiles),
and this process is known as MAPPING. A block also has a sequence
of angled lines in it, making up a surface you can walk on. There
could also be no lines, meaning that you fall through it.
Therefore each block has four graphical tiles, and one set of
SOLIDS data. There are MANY blocks in each level. A palette of
blocks exists for each level. I would imagine there would be
something like 1024 blocks per level. Now, each square on the
level map can choose one of these 1024 predefined blocks. This
saves you having to define solids and graphics for each square on
the map.
An object is made up of one or more sprites. A sprite is made up
of one or more 8x8 tiles. An object doesn't have to be visible --
take for example "kill blocks". These blocks, when in
debug mode, are visible as Robotnik tiles. Whenever you come into
contact with them, you die. These are used whenever there is a
moving object crushing you into a part of the level. Although
Sonic can be crushed between two objects, he cannot be crushed by
the level. Therefore kill blocks are used. The objects that are
commonly known as spikes are also used at the bottom of lava.
However, they have had their graphics removed. Whenever you turn
off the objects in a level, you can walk through lava.
However, although you can happily change where the sprites are,
and easily change which blocks you can walk on, and at what angle
they are, don't expect to be able to change the level map quite
so easily.
The reason it is so hard is because it is compressed. Imagine a
typical level. There is lots and lots of empty blocks, and lots
and lots of the same block repeated over and over. Each block
takes about 2 bytes to store. Therefore you are looking at a vast
64KB per level, just for the map. However, it so happens that a
PKZip-like compression is applied to this data, and due to its
repetitive nature, the size is reduced to a couple of KB.
Of course, the level is decompressed into RAM, so you can hack
the RAM to change the level, but this is not a permanent hacking
method.
Binary Hacking |
Binary Commands
These are useful commands used throughout the binary.
These will tell you what some parts of the sections are doing in
the game. Any with a "*"
beside them are in hex format, not actual text format.
The function of these commands is not yet fully understood, and
is not 100% reliable.
NqNqNqNqNq Switches to another
frame
Sx ??????
Nu Sprite offsets
UrUrUrUrUr Color palette [Ganarii]
init C initializer?
HB Pixel offsets
FF FF Start
of a level *
4x F9 00 xx xx xx Locates hex locations to find data *
Object Position
Editing
This will allow you to move or place objects where you
want them in a typical level. However, because objects are
handled separately from block placement, you will not be able to
edit the level.
Each object in each level is stored in a list. The X and Y
positions on the map, the object type, and the variation on that
object are stored.
address+0
X high-byte
address+1
X low-byte
address+2
Y high-byte
address+3
Y low-byte
address+4
Object
address+5
Object
Variation
As you can see from the above table, if you jump to the
address of the beginning of the object table for one level, then
the byte the cursor is placed on is the X high-byte. The next
byte is the X low-byte, and so on.
The byte after OBJECT VARIATION is the X high-byte of the next
object in the list.
Addresses for object table beginnings
for each level:
GHZ1
6B096 [
Stealth
]
GHZ2
6B5A0 [
Stealth
]
GHZ3
6BB5E [
Stealth
]
LZ1
6C218 [
Stealth
]
LZ2
6C686 [
Stealth
]
LZ3
6C9C8 [
Stealth
]
LZ4
6CFAA [
Stealth
]
????
6D442 [
Stealth
]
MZ1
6D592 [
Stealth
]
MZ2
6D8FE [
Stealth
]
MZ3
6DDA8 [
Stealth
]
SLZ1
6E31E [
Stealth
]
SLZ2
6E851 [
Stealth
]
SLZ3
6ECC6 [
Stealth
]
SYZ1
6F2A8 [
Stealth
]
SYZ2
6F734 [
Stealth
]
SYZ3
6FC9E [
Stealth
]
SBZ1
702A4 [
Stealth
]
SBZ2
709E2 [
Stealth
]
SBZ3
710C0
GEND
710D2 [
Stealth
]
BEND
71204 [
Stealth
]
Now, here is an object list:
01 00
Sonic [
TPLaing
]
09 00
Scrolling background [
TPLaing
]
0A 00
UNKNOWN (floats up)
[
TPLaing
]
0B 00 Hang bar (from LZ)
[
TPLaing
]
0C 00 One-way forcefield
0C 01
Fast
automatic door
0C 02
Slow
automatic door
0D 00
End
sign
[
TPLaing
]
0E 00
Thing above Sonic
0F 00
Thing below Sonic
11 xx
Log
bridges
15 00-0D
Swinging platforms of different lengths
15 10-1D
Swinging balls of different lengths
25 xx
Ring(s)
34 00
Zone
title
37 00
Ring
loss
39 00
Game
over
3A 00
End
score countups
3B 00
Rock
[
Rick Rogers
]
3D 00
Robotnik and his capable craft
41 02
Yellow spring up
TVs
A6 00
Static
A6 01
Robotnik
A6 02
1-Up
A6 03
Power Sneakers
A6 04
Shield
A6 05
Invincible
A6 06
Super Ring
A6 07
Super Sonic
A6 08
X-Ray
Glasses
A6 09
Broken TV
A6 0A
Stopped TV
Floor Layout
Floor layout (generally level design) works with sets
of 256x256 floors with a single byte representing the floor
object that is placed. The floor layout works by reading the
bytes one by one in order and are placed upon a 256x256 grid.
This means that you can't freely place them at any location at
any pixel you want. Green Hill act 1 starts at 068C80. Each row
is based on a total of 64 bytes. Here is a list of pictured floor
objects which you will need to guide you. Remember that you can
click on the pictures below to see them in full scale.
00
NULL SPACE
01
02
03
04
05
06 07
08
09
0A
Misc Properties
This contains the rest of the information that the
game has configured.
0337A
First
entry on level select screen -- level number
0337B
First entry on level select screen -- act number
0337C
Second entry on level select screen -- level number
0337D
Second entry on level select screen -- act number
And so on, for each act of each zone. By changing these
values, you can point the items on the Level Selection Screen to
different zones / acts.
Text
Editing
That's right! Thanks to many hours of
intense hacking, the information is now available to hack the
Sonic 1 level selection text. This system also works with the
level select and option screen text in Sonic 2 final! However,
Cyan cannot be bothered to print the table and addresses used in
Sonic 2. If enough of you mail Cyan requesting them, they may be
placed up here somewhere.
Firstly, you must understand how ASCII works. For instance, if
you want a letter A, then that is 41 in hex. A letter B is 42 in
hex, and so on. Why they decided to start the alphabet at this
number... who knows? However, the immensely popular people at
Sonic Team have decided to do away with this crappy system. This
is the list of hex values corresponding to the letters on the
level select screen:
00 = 0 01 = 1 02 = 2 03 = 3
04 = 4 05 = 5 06 = 6 07 = 7
08 = 8 09 = 9 0A = $ 0B = -
0C = = 0D = <- 0E = <- 0F = Y
10 = Z 11 = A 12 = B 13 = C
14 = D 15 = E 16 = F 17 = G
18 = H 19 = I 1A = J 1B = K
1C = L 1D = M 1E = N 1F = O
20 = P 21 = Q 22 = R 23 = S
24 = T 25 = U 26 = V 27 = W
28 = X FF = space
So there you have it. Firstly, convert the
text you want to change the entry to into hex using the above
table.
Now you are ready to hack. Incidentally, the reason for the above
complexity is not just to do with the Genesis hardware. It is to
hacker-proof it as well... Hahahahaha!
Anyway, here are the hex addresses where each line of text is
stored:
35A2 = Green Hill Zone
35EA = Labyrinth Zone
3632 = Marble Zone
367A = Star Light Zone
36C2 = Spring Yard Zone
370A = Scrap Brain Zone
3752 = Final Zone (don't forget, from here down there are no STAGE messages)
376A = Special Stage
3782 = Sound Select
You'll note that after the zone title,
there is a load of spaces, then STAGE 1, then more spaces, then
STAGE 2, then more spaces, then STAGE 3. Generally there is no
space between STAGE 3 and the next Zone. The addresses listed
here are the first letter of each zone title.
Palette
Editing
Believe it or not, thanks to Cyan's
powerful hacking attempts, you can now change the palettes for
various sections in the game!
Firstly, make sure you understand how the Genesis deals with its
hardware.
As I hope you are aware, a palette is a list of colors. The
colors are mixed out of the three primary colors -- RED GREEN and
BLUE.
Now, when doing artwork on the PC, you will normally encounter a
palette if you are drawing in 16 or 256 colors. However, the
Genesis deals with its palette in a slightly strange way.
Instead of having a single palette of a certain number of colors,
such as 16, or 256, the Genesis has four separate palettes, each
15 colors in size. Whenever a tile is drawn to the screen, it can
use any one of these four palettes. For instance, Sonic's sprites
always use the first palette. However, tiles from the zones can
use any one of the palettes, but they are normally constrained to
the last three.
The first palette is a FIXED palette, that is, it contains all
the colors used for things that appear in all zones -- Sonic,
rings, etc.
However, the other palettes change depending on what colors are
in the zone.
You may note that, when you observe the palette of the Genesis,
you see 16 colors in each palette. However, the first color of
the palette is always shown as the color of the border (only
visible on the original machine). Whenever this color is used in
a sprite, it appears as transparent. As this color isn't really a
color, but an indicator, you cannot set the RGB values for it.
That is why, for all intents and purposes, the Genesis has four
15-color palettes. When I refer to the first entry in the
palette, I mean the one after the transparent color. Arguably,
you can set the RGB values for this transparent color, as it
determines the border color. However, all of the four transparent
colors are somehow linked, so it is not a good idea to attempt
this procedure.
Now, as you may know from PC artwork, the three primary colors
are mixed in varying quantities. 255 is full brightness, and 0 is
black. Therefore there are three values each between 0-255.
However, the Genesis doesn't have a true color palette like the
PC. Instead, it has 8 shades of each color. This means that the
values range between 0-7, instead of 0-255.
However, that doesn't mean the screen is very dim, as 7 is full
brightness, and 0 is black.
Therefore, to convert a shade from the PC into a shade the
Genesis can use, divide the value by 32, and floor it (remove the
decimal point, so 7.8902 becomes 7).
Now you know how the Genesis deals with colors, you need to know
how to hack the specific addresses in a manner that will be both
productive and fascinating.
To do this, you will need to get a palette to work with. Go to
the zone you want to alter using the Genecyst emulator, and press
F9 to take a screenshot.
Load this screenshot into an image editing program such as
Autodesk (for DOS), or Paint Shop Pro, and look at the palette.
Make the changes to the appropriate entries, recording which
entries you changed, and what you changed them to. Be sure to
ignore the transparent color. Hint: if you use PSP, and create
the screenshot with Genecyst, you will find that the palette is
show on screen nicely organised in four sets of four.
Now you are ready to insert the new palettes into the ROM. To do
this, you will need to convert your values into a form which will
hack into the ROM.
To do this, take your color values, and divide them by 16 (NOT 32).
Then, lose the stuff after the decimal point.
If the number is odd, then round it down (or up) to an even
number. This should mean that the highest value you can get is 14.
Make sure you don't round it up above 14, or below 0.
Now, convert those values into hex. They should come out as a
single hex digit.
Open the ROM in the hex editor, jump to your chosen address (see
below) and insert the data. Each color has four hex digits to
represent it. As you have converted each of the R, G, and B
components of the color into hex, then put a 0 in, then the B hex
value, then the G hex value, and finally the R hex value. This
will make changes to the first entry of that palette. You can
then repeat this process for the other entries.
So, here is a list of addresses. There isn't much at the moment,
but when Cyan can be bothered, more addresses will be added.
Here is the bit-map for the bytes:
_______MSB______LSB
byte 1 = ----bbb-
byte 2 = ggg-rrr-
238A = First "real" color on master palette (first palette of all zones)
23AA = First "real" color on second palette of Green Hill Zone color set
23CA = First "real" color on third palette of Green Hill Zone color set
23EA = First "real" color on fourth palette of Green Hill Zone color set
25AA = First "real" color on second palette of Spring Yard Zone color set
25CA = First "real" color on third palette of Spring Yard Zone color set
25EA = First "real" color on fourth palette of Spring Yard Zone color set
Genecyst Savestate Hacking |
There is tons of info saved in savestates. All the ram that the game reads from is saved. This includes the art that is loaded, level, status, and tons more. Here is the info we have on it.
Startup Data
Startup data is the data that contains
lives, level, etc. It is very useful for you cheaters out there!
There are some things you need to know first. Lives are defined
like this:
000 00
001 01
002 02
003 03
004 04
005 05
006 06
007 07
008 08
009 09
010 0A
011 0B
012 0C
013 0D
The first number is the number of lives and the last number is it's value. You should see a pattern in this table. Since FF is the highest you can go, this means the max number of lives you can have is 255. Act values are also easy. 00 is act 1, 01 is act 2, and 02 is act 3. It is as simple as pie.
011BD8 - Max speed
011BDA - Acceleration
011BDC - Slow down
012271 - Sprite sets [Tails]
012272 - Previous level music
012288 - Level
012289 - Act
01228A - Lives
012290 - Continues
012299 - Rings in 1's (must pick up a ring to display)
01229A - Rings in 256's (must pick up a ring to display)
01229B - Minutes on clock
01229C - Seconds on clock
01229D - Middle seconds on clock
01229E - Score in 16,777,216's (must get more points to display)
01229F - Score in 65,536's (must get more points to display)
0122A0 - Score in 256's (must get more points to display)
0122A1 - Score in 1(0)'s (must get more points to display)
0123E9 - Player in special stage (doesn't function in the
original) [Yarharhar]
0123EB - Player in game (only Sonic in the original) [Yarharhar]
Gamma
Edit this section to change the brightness of a
certain color.
011FB8-??????
Debug
This contains info on how to turn on Debug mode and
swap monitors.
01227E - Change current monitor selected in Debug mode
012472 - Change to 01 to enable Debug
012280 - Sprite selected (only 02 seems to work)
012281 - Toggle Debug on and off.
Here are descriptions on how to get certain monitors:
01 = Invincible
03 = Super Ring
Level Select
This will let you activate the level select menu and
change the cursor position along with the sound number.
012448 - Enable slow motion (would normally be activated when
level select is enabled)
012449 - Enable level select
0123FB - Selection
0123FD - Sound #
The level selection works like this:
00 Green Hill 1
01 Green Hill 2
02 Green Hill 3
03 Marble 1
04 Marble 2
05 Marble 3
06 Spring Yard 1
15 is the sound test and if you select 16, Hidden Palace will be selected! However, it won't be playable the way you think it will be.
Art
This will let you edit the artwork pixel by pixel..
012478-END
If you have any questions, comments, hacking
info, or something else, you can e-mail us.
Cyan - manic@emulationzone.org / Website - The Underground Zone
Rocket - saxman@shentel.net / ICQ -
8257368.
This page is part of the "Sonic Hacking Community"! | ||
Sonic The Hedgehog | Sonic The Hedgehog 2 | Sonic The Hedgehog 3K |