This post follows part 1, where we defined our goal hacking Rampart on Genesis.
We want to change to change the time available to repair our walls to make the game easier.
Now it’s time to run Bizhawk and dive into the RAM content. We’re using a searching tool for this.
The idea is to scan for a specific value hidden somewhere in the memory and check the changes to keep only the good address.
Launch Rampart and open the RAM Search (Tools-> RAM Search)
Start a new game, go to the first repair time and do a savestate.
When the timer starts, pause emulation and do a first RAM search on its actual value.
We’re looking for a 2 Byte Unsigned value.
Let’s keep on with those 2 results.
Resume the game, let the timer go on a bit, pause again and do another search with the new value:
The result window is now empty. No 14 has turned into a 10 in memory. It means our time value is not stored as is in RAM.
We must try it another way. Reload the savestate, now we’re looking for a decreasing value. Let the timer run and do a new search with this setup:
Search again with the game running until you only have one result:
We can see the time left is stored in 10th of seconds in RAM and is displayed rounded (176 becomes 17,6 rounded to 18)
05C2 is our time remaining address. Let’s add it to the RAM watch:
From the RAM watch window, we can now freeze the timer or set it to a new value (poke).
We now want to find is the address where the initial time is defined. So let’s look for a 220 in RAM (22s x 10 in normal mode).
We have 3 results that we can add to the RAM watch:
Soft reset the game in easy mode and look for the result that becomes a 250 (25s x 10 in easy mode)
We only have one matching result. 054C is the RAM address we’re looking for.
Poke this address with a new value and you’ll see the time available change. It’s OK for a live hack of the game, but what we want to do now is building a modified rom.
We’ll see how in the next part!