

How to Hack - Experience Level

by Anthony Caudill (tcaudilllg)

+-------------------------


Experience level is one way to control the flow of a game. Older games have high
differences between levels, to accomodate for the brevity of the exploration phases
of these games. Dragon Quest and Hydlide are notable examples. As memory became cheaper
and games became larger, distances between levels fell so that players could spend more
of the intended length of the game on exploration. However, even some later games had onerous
grinding requirements. If you want to hack a game so you can finish it quickly without
giving yourself bonuses which cheapen the experience of the game, changing the level table
is probably a good option. It's also easy to do, requiring just a little dilligence and
a hex editor.




Getting Started

+-------------------------


First you need a hex editor. Some emulators (such as FCEUX) offer them built-in. Lacking this
option, there are plenty of free hex editors available. Google "hex editor" and try to download
one that is small and incomplicated. For this tutorial, I'll be using FCEUX to hack Dragon Warrior's
level table.

Once you have your hex editor, open your ROM file in it. You'll see the ROM file expressed as
hexidecimal, a sequence of numbers seperated by spaces. Each number is a distinct byte. At the
far left you'll see the locations of the bytes in the ROM, also expressed as hexidemical.




--------------------------
Locating the Level Table

+-------------------------

Typically, the experience leveling thresholds are arranged in sequential order in their own
distinct segment in the ROM, called the level table. The size in bytes of each threshold depends
on the maximum possible experience permitted by the game: the higher the maximum, the more
bytes are required. An experience ceiling of 65,535 means that each experience threshold is
specified using two bytes. A 9,999,999 ceiling (as in Final Fantasy) requires three
bytes per threshold. In Dragon Warrior, the experience ceiling is 65,535, the highest number
that can be specified with two bytes.

Now that we know what the table looks like in ROM, we can search for it. Each byte can only
specify numbers in the range of 0-255. To get the threshold for your current experience level,
Dragon Warrior reads two bytes and combines their values into one number. One byte is used
to figure the part of the number above 255, the other the part below it. The byte used to figure
255 is called the "high" byte, and the byte to figure the part below the "low" byte. The low
and high bytes are next to each other, but that's all we can assume. The game may look for the
low byte after the high, or the high byte after the low, so we have to look for either possibility.

There is also a possibility that the level table is compressed, meaning it's stored in the ROM
in a format that is unreadable and inaccessible except by the game itself. We probably don't have
to worry about compression when editing the level table though, for two reasons: 1) decompression
requires a lot of RAM, something that is likely to be in short supply at the end of a fight; 2)
decompression requires a lot of CPU horsepower, where leveling up happens immediately at the
end of a fight. Considering that there is very little of either RAM or CPU available for
decompression, and the level table is varied enough that it'll probably make for a poor
compression target anyway (expression works by coding invariance), it is highly unlikely that the
table is compressed.

Having assured ourselves in our abilty to edit experience levels, we are now prepared to begin
searching for them. But to search for them, we must first know what they are. It would be helpful
to have a ready made table of experience thresholds to refer to, and some do exist, but they
aren't always reliable. It is better that we calculate a few thresholds by hand, by combining our
current experience at a given level with what the game tells us we need to get to the next level.
In Dragon Warrior, we get this information by consulting our status to see what experience we have,
and the King to learn what more we need.


Doing the math, we need 7 exp for level 2, 23 for level 3, and 47 exp for level 4. That should be
about enough to locate the table... across 80 thousand bytes, the incidence of these numbers occuring
in succession is very small. We might also note that we start the game at level 1 with no experience,
so we might expect two null bytes right at the start of the table indicating the threshold for level 1.
Additionally, we expect the table to have 30 entries, one for each level, meaning at two bytes per
entry the table itself is 60 bytes long. We can further factor in some standard coding practices on
the part of the designers: it is common practice for coders to "mark off" the beginning and ending of
tables with 255. We can also expect to find a number of null bytes surrounding either side of the
table, reflecting the practice that tables be in their own isolated segments to prevent accidental
corruption during the development process (such as by the insertion of graphics or items).

Before searching for the table, we need to convert the three thresholds into hexadecimal. There are
a couple ways to do this: 1) we can use a calculator (such as the one bundled with Windows) or we
can input the number in a search engine (such as Google) followed by "to hex". The search engine is
likely to figure the calculation for us. If using the Windows calculator, set it to scientific mode
to acess the base conversion function. Input the first threshold and then switch to Hexidemical,
then write down its hexidemical value. Repeat for each threshold.

Now open your hex editor's search function. We don't know the order of the bytes, so we'll look for
the low byte first followed by the high (so-called "big Endian" sequencing, which is something of a
standard for many programs). None of these thresholds are greater than 255, so the first byte will have
the value and the second byte will be 0. Working it all out, we're searching for this:

07 00 17 00 2F 00

and if that doesn't work, we'll look for little Endian, which works out to this:

00 07 00 17 00 2F

It could also be stored in reverse, which would work out to:

2F 00 17 00 07 00

or:

00 2F 00 17 00 07


The same principle applies to games with multiple characters: work out their thresholds and search for
them in big Indian, little Indian, and in reverse if necessary. Expect all of the experience tables
to follow each other. Be careful because if there is only one table for all characters (enemies
included)... you could end up making enemies very strong.




-----------------------
Editing the Table

+----------------------

(note: if you're using an editor built into an emulator, make sure you search in ROM, not RAM!)

Doing our search, we find a match at 00F360. Doing a search for little Endian arrangement, we also find a
match (at the same place) but notice that the two bytes in front are blank. Right after them is first
experience threshold, 07, followed by 00. Then 17 (23 decimal) followed by another null byte. This is a
sign the arrangement is big Endian, with the low byte in front and the high byte afterward. Sixty bytes
down, we see FF FF, the experience ceiling. This must be the table. Prove it with a test hack. Starting
from 07, set all the succeeding bytes upto and including FF FF, 58 in all, to 0. DO NOT go over or you will
likely destroy the game. Save your edits to a new file (make sure the filename ends with ".nes"). Now
load this file into your emulator and start a new game. Right from the start, you'll be at level 30,
with maximum HP, MP, and all spells.

Having realized the ability to edit experience thresholds, what should you do with it? In this regard it
helps to be experienced with the game itself. Dragon Warrior starts off strong, but around level 13 the
distances between levels begin falling out of proportion with per-battle rewards. This leads to a major
rut until the player learns Healmore, enabling them to fight powerful monsters without having to retreat
back to the inn every five minutes or so. Leveling too fast, on the other hand, risks putting the player
out of sync with the normal flow of gameplay oriented around fundraising for weapons and armor. We want
to streamline the game, not destroy it. To keep the balance, we might consider capping distances between
thresholds at 2000 after Rimuldur, as opposed to the standardized 4000 the designers intended. Actually,
this puts us in sync with the revised table introduced in Dragon Warrior 1 & 2 on SNES and GBC, which
wasn't actually edited at all, but was compensated for by increased exp yields overall.

Remember that you have to first convert the threshold to hexidecimal, and then put the first two digits
in the second byte (the high byte) and the last two digits in the first byte (the low byte). Don't get
confused now! If you put the high byte before the low byte, you're likely to have very erratic leveling!




------------------------
Expanding the Table

+-----------------------


At this point you might be thinking about expanding the table to level more gradually, even expanding
the game. Before trying this, let's look at the surrounding environment. We see that the table is
not marked off by 255s (FF in hexidecimal), nor is it padded by 0s. If it was, we could have inserted more
level thresholds in the table. But it's not, implying that the data surrounding the table has significance
and would be dangerous to alter without intricate knowledge of its meaning and purpose. Moreover, the
presence of non-zeroed data suggests that the level ceiling is enforced by the program, meaning we'd have
to reprogram the game to remove the cap. The value of such an enterprise is frankly dubious: it is far
easier, and more profitable, to learn to program your own game than to reprogram an existing one. If you
still insist on expanding the table, there is a partial disassembly available on GameFAQs (look for a
document explaining the game's formulas) which will clue you in as to the gravity of the challenges ahead.
If you do knowledge of the internals of the game's host machine, your best bet is to open the game in
an emulator featuring a built-in debugger and search for the starting address of the table. (for Dragon
Warrior, it's not F360 (that's the beginning of the line), but F36B, byte 12 on that line). You may
need to reprogram the experience system at multiple points... for Dragon Warrior, this could prove really
hard, because there isn't much free space in the game. You could get more space by using a different
mapper, but that would mean a partial rewrite of the entire game.



Comment? Write tcaudilllg@gmail.com