Corrupt Corrupting by Weasel (c)2002 Dragon Eye Studios *************************** Intro: This document is designed to help people with the grand art of rom corrupting. For those of you who don't know (you know who you are!), rom corrupting is a long, (occasionally)boring process of finding data in a Rom. If you don't know what a rom is, I pity you. But anyway, the process of corrupting is where you take a rom, open it in a rom corrupter program and change some bytes to random crap, open the corrupt rom in an emulator and see if any changes take place. It's hard to understand. Hence the reason for this document, right? *************************** Let's Begin! Before we start, you must have the right programs. I'll simply list a few notable ones that you should get. *Rom Corrupter Written by Dwedit, this, in my opinion, is the best rom corrupter out there. *Corruptster I think I spelt that right. Created by Disch (FFHackster d00d), it corrupts roms too! yay! *Tile Layer (Pro) A tile editor. Believe me, this can be pretty freaking helpful ;) Made by SnowBro *Hexpose A spiffy Hex editor. You know you want it... Written/Made by Snowbro, he's the man. *An emulator Emulator for the system of your choice. In my example, i will use ZSNES. *A Rom But you knew this, right? My example will use MegamanX3 Now that you have the following (if you don't, you're supposed to go get them, silly!), we can begin. Here we go... ... *************************** Findind data first! Here's the *really* fun part. Open the rom in a tile editor first (sounds strange for corrupting but do it). Note the locations of the graphics that you can see. In TLP, you can see the address of the stuff. Here's the example. 2048k | Offset: 00160200 (68%) | SNES [4BPP] There, at $160200 is some graphics. Write this down, please. Now, keep scrolling down until you see the end of the graphics here. Example: Offset: 001973C0 Here, that block of graphics ends and you see the appropriate jumble of stuff you shouldn't care about. Write this down as well. Now, we have some very useful information, right? Between offsets $160200 and $1973C0 are some graphics. That, my friends, is where you DON'T want to corrupt. Simple as pie. If you continue down the rom, you find that between $1D01E0 and $1E21E0 are more graphics. That somewhat narrows down where you don't want to corrupt stuff. Keep going down and you find more stuff. Now, let's assess all we have so far: *$160200-$1973C0 *$1D01E0-$1E21E0 *$1F0180-$1F6760 There are no more blocks of graphics that I could find. Isn't that something? Now, those are areas where you don't want to corrupt the rom. Okay? Good. Now the next part of finding more data is to open the rom in a hex editor. Do a relative search for some text (i.e. Zero). The search in the hex editor will find the locations. Hopefully, you can use this to find text for the whole rom. Write down important locations because you don't want to corrupt them either. If you notice what we are doing, you can see that we are narrowing down the rom to make corrupting a little bit easier. X3 is a huge rom, but narrowing down the results can help a ton. *************************** It's time to corrupt some stuff! Now for the dirty work. You're gonna love this. Open the rom in a rom corrupter. Simple enough. If you are using ROM corrupter, by Dwedit, you must select a rom, an emulator, and make it create a copy of the rom, entitled CORRUPT.smc. Now, on the left, you select the areas to corrupt (start and stop), and on the right you select the type of corruptions. My personal preference is corrupting every byte by adding 1 to them. That minimizes crashes (if you're wondering how, ask me later). Now, you press the big green GO button and it'll start CORRUPT.smc in the emulator with the corrupted bytes. Your results will vary from (listed in order of occurance) crashing the emu, freezing the game, seeing absolutely nothing, and seeing some strange changes. Seeing changes is the most rare of the results, which can be a pain. I'll give some examples of my corruptions. Behold: Corrupted offsets Results 1000-10000 Disables reading of Hirom or lorom 10000-20000 Works fine up to the Title Screen. The Title screen is blank 20000-30000 Capcon logo doesn't appear and the game freezes. ASM code probably... Now, let's go through the results. The first one causes a crash. ZSNES can't read whether the rom is HiRom or LoRom. The second one plays fine to the title screen. But the title screen isn't there. Game freeze. The third makes the CAPCOM logo disappear, which I assumed to be Assemble codes. As you corrupt stuff, it is important to write down every thing that happens. Even if it doesn't do anything (i.e. Crash, crash, no visible change, crash, freeze). That way, you don't corrupt the same thing again, which can happen if you are getting frusterated. Now, the above doesn't tell you anything interesting about the rom, does it? Well, if you continue your exodus of corruptions, you come to an interesting offset: 1C0000-1D0000 Changes object set of Intro Level I think. Level data may be in here. In this corruption, the intro level was messed up. Badly. There were messed up blocks in weird places everywhere. Interesing none-the-less because that if level data (Yes, i found this on my own). So, now we know where level data is placed in the rom, or at least the intro level. That's how corruptions work. *************************** Conclusions I hope this document has been even slightly useful to you. With this process, you can discover level data of a rom, or some other kind of stuff. Now, if you happen to know ASM, you could look at the rom dissassembled and find it that way. But ASM is hard to learn, dig? Anyway, if you continue the process of corrupting, you could end up finding more important stuff. That's how I discovered level data and other things in SMW2. Isn't it grand? *************************** (c)2002 Weasel Dragon Eye Studios If you want to put this document somewhere besides http://www.dragoneyestudios.net, ask me. Just a simple email to weasel_cb29@yahoo.com will get it done. I'll probably let you use it so long as you ask first. Have a nice day!