My first ROM Hack, fixing the infinite magic on Master System's Ninja Gaiden
TL;DR
I have made my first ROM hack, fixing an issue on Master System’s Ninja Gaiden, where get infinite magic points once you collect 999 or more of them.
Here are the BPS patches:
A bit of my motivation
Growing up in Brazil, I owned a Sega Master System when I was kid. The SMS was far more available there, and probably more popular then the Nintendo Entertainment System (NES), as it was very well distributed by a local company, Tec Toy.
I’m a long time gamer, and a software developer by trade, with some knowledge on electronics and retro computers architecture, more theoretical than practical.
Putting all that together, it is not a surprise that I have a certain fascination for retro games and their inner workings.
For quite some time now I have been wanting to get something done in that area, and ROM hacking is a nice way to get acquainted with the topic.
In my spare time I am also an occasional podcaster. At Fliperama de Boteco, a Brazilian podcast, we talk mostly about retro games. Some time ago we published an episode on Ninja Gaiden for the Master System. One of things that got our attention was the fact that once you collected more than 999 magic points, you could use special weapons and magic without running out of points, specially with a fire magic that makes you invincible, and normally cost you 50 magic points. That made the game too easy, and to me it felt like a bug, as you could collect enough magic to do this early in the game.
Recently, someone posted about this game in a Brazilian Master System group on Facebook, and one of the replies was “I pray that someone will make a hack to fix the bug of the thousand magic points … it makes the game too easy when it reaches 999”. I took that as an interesting challenge to get myself initiated in ROM hacking, and went for it.
How I did it
The fist step was to find out where in the RAM (Random Access Memory) the information about the number of magic points was stored.
I started searching for it using the emulator BizHawk, which contains a RAM Search function.
Using this feature, I eventually found out that magic points were stored in the following addresses:
0x1FB8
- first digit0x1FB9
- second digit0x1FBA
- third digit0x1FBB
- this one is normally 0, but it is set to 255 (0xFF
in hexadecimal) when you collect more than 999 points
For example, if you have 150 magic points, these will be the values stored addresses above:
0x1FB8
- 00x1FB9
- 50x1FBA
- 10x1FBB
- 0
One important information, this addresses are relative to 0x0000
, but RAM on the Master System is mapped to the address range from 0xC000-0xDFFF
(and mirrored on the address range 0xE000-0xFFFF
), so 0x1FB8
is actually mapped at 0xDFBB
or 0xFFBB
.
Now that I have identified these addresses, I started looking for the code that changed their content.
For that I used a different emulator, Emulicious, which has a very good disassembler and debugger.
I added breakpoints to stop the execution where this addresses were read or written, and started doing stuff like using magic and getting items that granted magic points, also reaching over 999, then checking the code around the breakpoints.
Ultimately I discovered that 0xDFBB
was used to protect the magic counter from overflowing, but I also found out that it was checked at the beginning of routine that subtracted magic points when magic was used:
_LABEL_50D9_:
ld a, (_RAM_DFC3_)
or a
jr nz, _LABEL_513E_
ld a, (_RAM_DFBB_) ; load content of 0xDFBB into register a
or a ; bitwise OR of a with a, store the result in a
jr nz, _LABEL_513E_ ; jump to 0x513E if the result of last operation (a) is not zero
... ; continue to subtraction routine
_LABEL_513E_:
scf
ret
So I figured that setting the content of 0xDFBB
back to zero, instead of checking it and jumping, should give me the result I wanted.
To do that, I used the Hex Editor wxHexEditor.
First thing was look at the address 0x50D9
(20697 in decimal) and locate the opcodes for the check:
Now, without calling another routine, I had 6 bytes to do what I wanted, set the content of 0xDFBB
with 0
.
There are more sophisticated ways of doing this, like using a Z80 assembler like WLA-DX, but that would be like bringing a gun to a knife fight. I did not even had to look for the opcodes of the instructions I wanted to use to replace the check:
ld a, $00
ld ($DFBB), a
there was a very similar piece of code just above the one I wanted to change:
It was only 5 bytes, I just had to adapt so that it was ld a, $00
instead of ld a, $FF
, and fill the remaining byte with 0
, which is the instruction nop
(No Operation):
Now, I tried to load the game, and…
Ooops, something is wrong…
The ROMs have a checksum stored at the address 0x7FFA
, which is checked by the BIOS. After hacking the ROM we need to adjust the checksum. To calculate the checksum for the patch I used the command line tool SMS Check:
C:\Emuladores\Roms-SMS>smscheck.exe "Ninja Gaiden (Europe) - avoid infinite magic.sms"
SMS Check 0.24 - by Omar Cornut (Bock), Apr 19 2016
http://www.smspower.org
--
[./Ninja Gaiden (Europe) - patched with failure.sms]
Size ...... 262144
Header .... 54 4D 52 20 53 45 47 41 00 00 AD 4C 01 71 00 40
System .... SMS Export (4)
Size ...... 256k+
CheckSum .. 4BB3, Bad. Should be 4CAD
FullSum ... 1674F91
All, right, now I adjusted the checksum in the ROM, again using the hex editor:
And, there we go:
No more infinite fire magic!
Now I had my hack ready, so it is time to produce a BPS patch, I used a tool called Floating IPS.
And there we have it, a patch file ready to be applied: Ninja-Gaiden-Europe-avoid-infinite-magic.bps
Later I was informed that there was also a prototype ROM for Ninja Gaiden on the Master System, so I produced a patch for that one too: Ninja-Gaiden-Europe-prototype-avoid-infinite-magic.bps
Closing words
It was a fun ride, getting acquainted with Z80 assembly takes a bit of patience, my last contact with assembly was around 20 years ago… managing to read it after sometime is quite satisfactory. I hope this blog post helps other people that would like to get started with ROM hacking.
A huge thanks go to the people maintaining the excellent content on the website smspower.org.
References
- https://en.wikipedia.org/wiki/Ninja_Gaiden_(Master_System)
- http://www.romhacking.net/forum/index.php?topic=19594.msg276409#msg276409
- https://landley.net/history/mirror/cpm/z80.html
- https://wikiti.brandonw.net/index.php?title=Z80_Instruction_Set
- Trainers - Do It Yourself at smspower.org
- Z80 Instructions Set at smspower.org
- ROM Header, Checksum at smspower.org
- How to Use BPS and IPS Patch Files at smspower.org
- Floating IPS at romhacking.net