A Brief History of Hacking

A Brief History of Hacking

As you may know, I was the one who originally found the secret behind switching levels in an emulator, and discovered how to get the Hidden Palace zone in a save state. I also found out how to activate debug in Sonic 2 beta (sort-of), and have done even more hacking since!

Back... Back, through the mists of time... to my original Genesis, and my cart of Sonic 2.

It all started when I first got my Action Replay cheat cartridge. A code-book was supplied with it, and naturally I looked at the Sonic sections first. All the usual ones were there, infinite lives, unlimited rings etc. I then saw the code to select levels, and noticed in the level table that 08 said (Incomplete) Hidden Palace. I tried it out, and since then I was obsessed with the zone, trying to get more graphics in, fiddling with more codes etc.

My original site was the first to show the pics of Hidden Palace Zone, scanned from my Genesis console.

When emulators came out, I dumped the Sonic 2 ROM and tried to get Hidden Palace on an emulator - but failed. Emulators didn't support the Action Replay cheats. Then I had a thought - if an emulator save state is just a dump of the Genesis RAM with a bit tagged on, I should be able to find the RAM in a save state!

I took a snapshot of a normal place in Emerald Hill, and also dumped the RAM for that exact point. Then, I studied the RAM in a hex editor:

+-[_]--------0--1--2--3--4--5--6--7--8--9--A--B--C--D--E--F----------------[]-+
¦ 00000A0 ¦ F0 4C F0 50 F0 56 F0 50 F0 50 F0 51 F0 50 F0 4D ¦ _L_P_V_P_P_Q_P_M ¦
¦ 00000B0 ¦ F0 05 F0 06 F0 05 F0 06 F0 05 F0 06 F0 05 F0 06 ¦ _._._._._._._._. ¦
¦ 00000C0 ¦ F0 07 F0 08 00 07 00 08 00 07 00 08 F0 07 F0 08 ¦ _._........._._. ¦
¦ 00000D0 ¦ F0 0A F0 0B 00 0A 00 0B 00 0A 00 0B F0 0A F0 0B ¦ _._........._._. ¦
¦ 00000E0 ¦ F0 15 F0 15 F0 15 F0 15 F0 15 F0 15 F0 15 F0 15 ¦ _._._._._._._._. ¦
¦ 00000F0 ¦ F0 05 F0 06 F0 05 F0 06 F0 05 F0 06 F0 05 F0 06 ¦ _._._._._._._._. ¦
¦ 0000100 ¦ 00 00 00 00 00 00 00 00 F0 2B F0 2C F0 2D F0 2E ¦ ........_+_,_-_. ¦
¦ 0000110 ¦ F0 2B F0 2C F0 2D F0 2E F0 2F F0 30 F0 41 F4 41 ¦ _+_,_-_._/_0_A_A ¦

Afterwards, I loaded up the save state in my hex editor, and looked for the same piece of code. Sure enough, I found it!

+-[_]--------0--1--2--3--4--5--6--7--8--9--A--B--C--D--E--F----------------[]-+
¦ 0002510 ¦ 00 03 00 04 04 04 04 03 F0 4C F0 50 F0 56 F0 50 ¦ ........_L_P_V_P ¦
¦ 0002520 ¦ F0 50 F0 51 F0 50 F0 4D F0 05 F0 06 F0 05 F0 06 ¦ _P_Q_P_M_._._._. ¦
¦ 0002530 ¦ F0 05 F0 06 F0 05 F0 06 F0 07 F0 08 00 07 00 08 ¦ _._._._._._..... ¦
¦ 0002540 ¦ 00 07 00 08 F0 07 F0 08 F0 0A F0 0B 00 0A 00 0B ¦ ...._._._._..... ¦
¦ 0002550 ¦ 00 0A 00 0B F0 0A F0 0B F0 15 F0 15 F0 15 F0 15 ¦ ...._._._._._._. ¦
¦ 0002560 ¦ F0 15 F0 15 F0 15 F0 15 F0 05 F0 06 F0 05 F0 06 ¦ _._._._._._._._. ¦
¦ 0002570 ¦ F0 05 F0 06 F0 05 F0 06 00 00 00 00 00 00 00 00 ¦ _._._._......... ¦
¦ 0002580 ¦ F0 2B F0 2C F0 2D F0 2E F0 2B F0 2C F0 2D F0 2E ¦ _+_,_-_._+_,_-_. ¦

Then, using a little bit of calculation, I found the point where the Genesis RAM dump starts in the save state. I worked it out as 2478.

Then I could begin my real hacking... I took the code for accessing Hidden Palace, and chopped off the first two Fs to give me the address FE10. Then, using a hex calculator, I added together the raw address and the address of the start of the RAM, to give me the location in the save state. It came out as 12288. I then went back to the hex editor, found that location and changed its value from 00 (Emerald Hill) to 08 (Hidden Palace). Sure enough, when I reloaded the save state I was in Hidden Palace! The debug code for Sonic 2 beta was worked out in the same way - FE09 + 2478 = 12281 - change that to 01 to enable debug!

I then replaced my Genesis scans of Hidden Palace zone with screenshots from the emulator.

2. Knuckles in Sonic 3 trick

This one was slightly trickier, in that I did not have an original code to work from. Therefore, I went to the game select screen in Sonic 3, and took three save states with different characters selected - one for Sonic&Tails, one for Sonic alone, and one for Tails alone. I then went into DOS and did FC on the files, and wrote down all the locations where 00 had changed to 01, then to 02. (This is the way the Action Replay cheat search works) Eventually I found three locations, and by doing more save states was able to narrow the possibilities down to one. I then went to that area in the save state, and changed it to 03. Sure enough, when I reloaded the save state Knuckles was selected!

Here's a hint - if you're using FC to compare savestates and the list of differences is too big to be displayed all at once, then try it like this:

FC /B FILE1 FILE2 > DIFF.TXT

This will create a file called DIFF.TXT which will contain the output of FC - look at that to find the differences.