Sonic Fighters Hacking

Discussion in 'Engineering & Reverse Engineering' started by Andrew75, Dec 2, 2012.

  1. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    In a collaborative effort between myself and @RyogaMasaki, we have found some DIP switch settings which work in conjunction with some debug mode flags.

    The beginning of inputs for Model2 games begins in the area of memory located at 0x01c00000 and in ElSemi's emulator is defined as the IOBASE. ElSemi's emulator also allows reading of memory at this address, however, fails it write to it. The last byte of a DWORD at 0x1c0000c is where the flags for the DIP switch settings are stored in memory. By default, they are set to 1, and thus the byte value here is 0xFF.

    In a combination of having the 15th bit set and the 9th bit cleared at the debug mode address 0x508000 and having DIP switch 0 set on the board, this will enable a debug information display in the game as seen here:


    [​IMG]

    However, since ElSemi's emulator does not support DIP switches, a workaround had to be made that effectively removes the need for the DIP switch to be set in order to work.

    A side effect from this discovery is that if the debug mode value has bit 15 set and the 9th bit is not cleared, this removes all foreground 2D textures (such as the PRESS START BUTTON and health bar hud) from being drawn to the screen.

    The most up to date cheat script as of this post is located here for anyone to freely mess around with.

    I hope I didn't mess up any information here as I am trying to represent it as accurately as possible.
     
  2. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    Interesing new discovery. I found the location of the stage order for music loads:

    [​IMG]

    "North Wind", the Sonic vs Knuckles theme, is loaded at offset 0xAE100C.
    "Hurry Up", which is never used in the game, is loaded at offset 0xAE100F.
    So in order, you fight:
    1. Knuckles
    2. Amy
    3. Bark
    4. Espio
    5. Tails
    6. Fang
    7. Bean
    8. Sonic
    9. Metal Sonic
    10. Eggman in Mech
    But note there are 11 songs listed!

    My new theory? You were supposed to fight the mechless Eggman (unused), then he gets in his suit after setting self-destruct. It makes sense to me, anyway.
     
    Last edited: Dec 4, 2019
    • Like Like x 3
    • Informative Informative x 2
    • List
  3. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    WORKING WITH @RyogaMasaki, WE HAVE HARDWARE VERIFIED THE FIRST SONIC THE FIGHTERS CHEAT!

    To see this debug display on hardware, set DIP Switch #1 to the "ON" position, hold "Service Coin" aka "Service 1" button on the motherboard and enter the following code on Player 1's controls: RIGHT, RIGHT, PUNCH, LEFT, RIGHT, PUNCH, KICK, RIGHT, RIGHT, UP, PUNCH.

    As previously indicated, ElSemi's emulator has all DIP switches flipped, so a switch that disables foreground textures takes priority here. But yes, it will work in the emulator, but it crashes MAME.\

    THIS IS BIG! Please comment! I've been so alone in this thread, lol.
     
    • Like Like x 7
    • Informative Informative x 1
    • List
  4. ICEknight

    ICEknight

    Researcher Researcher
    Hey, nice find! Have you tried entering that code in other SEGA arcade games from that era?

    Regarding the crash, are you using the latest MAME version?
     
  5. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    The crash actually happens when one of the dip switches is flipped, specifically 8. Ryoga and I believe that it's hitting some unimplemented opcode. The build that was tested was from last night's git pull, modified to have the DIP switch correctly enabled, which is not yet submitted as a pull request.

    As for other games of that era, Ryoga and I assume it should work on Virtua Fighter 2 and Fighting Vipers as well, as the engine also supports the same base engine. Most games I've looked at have no labels in their code, so it's difficult to assume this might work on those games when there's no literal ascii text to display to the screen.

    I could take a look, as Dynamite Cop seems promising with labels, but nothing this extensive.
     
  6. RyogaMasaki

    RyogaMasaki

    0xffffffff Oldbie
    Yeah, I checked both FV and VF2, and they have the same program code, though the actual input code is different.

    To clarify a couple things about this input code: You do not need to have any DIPs set or unset to actually have it enabled; the flag is set as soon as you hit the correct input. But it's good to have only the lowest bit (DIP 1) enabled so you can see the debug text on the screen and have visual confirmation that it's enabled.

    In MAME, it only crashes when the highest bit (DIP 8) is set; the other switches work fine. Clearly this switch does something, but @biggestsonicfan reported there were no obvious changes where it was set on hardware.

    MAME is actually really bad with the i960. In my original article where we found the debug menu (shameless plug!) I had to write a separate cheat just to work around the unsupported opcodes. I do plan to submit a bug report about it eventually...

    For now, I'll be making a PR to MAME soon to add the DIP switches to the VF2/FV/SF boards, which will then be usable with the input codes. Doing some googling around for images, I actually think all Model 2 board revisions have a DIP switch somewhere, so I really think they should be added to all Model 2 boards in MAME... but I'll discuss that with some of the devs on twitter.
     
  7. kazblox

    kazblox

    Member
    172
    17
    18
    Diassemblies and decompilations.
    Be sure not to report the bugs to MAMETesters as Model 2 specific bugs, if they aren't the case! Model 2 is a NOT_WORKING driver, and thus any reports will be closed.
     
  8. RyogaMasaki

    RyogaMasaki

    0xffffffff Oldbie
    The bug is with the i960 CPU in particular, but I'll keep that in mind and do my research before doing so. Thanks!
     
  9. qwertysonic

    qwertysonic

    Member
    382
    17
    18
    creating the biggest sonic collection
    I've been following this thread and I appreciate the work done here.
     
  10. RyogaMasaki

    RyogaMasaki

    0xffffffff Oldbie
    Hi, who ordered the Sonic the Fighters prototype title screen and preview version ending screens?

    [​IMG]
    [​IMG]
    [​IMG]
     
  11. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    New cheat for sfight.lua!

    Fixed "Squished Honey"

    Code (Text):
    1. function patch_honey()
    2.     Romset_PatchDWord(0,0xC49C8,0x000005DD) --BODY
    3.     Romset_PatchDWord(0,0xC49CC,0x00000A99) --HEAD
    4.     Romset_PatchDWord(0,0xC49D0,0x00000A9B) --RSHOULDER
    5.     Romset_PatchDWord(0,0xC49D4,0x00000AA5) --RARM
    6.     Romset_PatchDWord(0,0xC49D8,0x00000AA3) --RHAND
    7.     Romset_PatchDWord(0,0xC49DC,0x00000A9A) --LSHOULDER
    8.     Romset_PatchDWord(0,0xC49E0,0x00000AA4) --LARM
    9.     Romset_PatchDWord(0,0xC49E4,0x00000AA2) --LHAND
    10.     Romset_PatchDWord(0,0xC49EC,0x00000A9D) --RTHIGH
    11.     Romset_PatchDWord(0,0xC49F0,0x00000A98) --RANKLE
    12.     Romset_PatchDWord(0,0xC49F4,0x00000A89) --RFOOT
    13.     Romset_PatchDWord(0,0xC49F8,0x00000A9C) --LTHIGH
    14.     Romset_PatchDWord(0,0xC49FC,0x00000A8A) --LANKLE
    15.     Romset_PatchDWord(0,0xC4A00,0x00000A88) --LFOOT
    16.  
    17. end
    Add
    Code (Text):
    1. patch_honey()
    to function Init() and this will fix her squashed form. This does not fix the alternate color Honey yet, I will have to work on that soon, but for now, (Alternate Honey squished models are fine according to the code) Take this as a taste of things to come!
     
    Last edited: Apr 29, 2020
  12. E-122-Psi

    E-122-Psi

    Member
    1,897
    69
    28
    Correct me if I'm wrong but didn't the original arcade version play NO MUSIC AT ALL in the Eggman fight? It was the ports that added music (albeit the WRONG MUSIC, possibly because of that track order).
     
  13. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    I feel this was the case too, but I can't find video evidence nor recreate it.
     
  14. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    A new cheat code allows you to view the enemies move's names as they happen! This is kind of a first step into understanding how character moves work!

    Code (Text):
    1. local enemy_move = ""
    2.  
    3. function Frame()
    4.      get_enemy_move()
    5. end
    6.  
    7. function get_enemy_move()
    8.    local g4 = 0x0510980
    9.    movesets = 0xDE278
    10.    local r3 = I960_ReadByte(g4+0xC9)
    11.    local moveset = I960_ReadDWord(movesets+(r3*4))
    12.    r3 = I960_ReadByte(g4+0xBA)
    13.    local r5 = 0x2C
    14.    r3 = r5*r3
    15.    local move_add = I960_ReadDWord(moveset+r3)
    16.    local str = ""
    17.    local start = move_add
    18.    local finish = move_add+25
    19.    local i = 0
    20.    while start~=finish
    21.     do
    22.         str = str .. string.char(I960_ReadByte(move_add+i))
    23.         i = i + 1
    24.         start = start+1
    25.     end
    26.  
    27.    enemy_move = str
    28.  
    29. end
    30.  
    31. function PostDraw()
    32.     Video_DrawText(20,10,enemy_move,0xFFFFFF);
    33. end
    Enjoy!
     
  15. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    Well now, what do we have here? :V
    sfight013.png
     
  16. Overlord

    Overlord

    Aros gartref, diogelu'r GIG, achub bywydau Moderator
    17,737
    105
    43
    Berkshire, England
    Learning Cymraeg
    Mirror mode? =P
     
  17. biggestsonicfan

    biggestsonicfan

    Model2wannaB Oldbie
    1,088
    71
    28
    Formerly Sonic the Fighters
    dsmGaKWMeHXe9QuJtq_ys30PNfTGnMsRuHuo_MUzGCg.jpg

    OH YOU. While this is a mirrored Honey match, the Eggman image has been replaced with Honey's silhouette proper. Meaning title cards and how pallets work are now understood in the game's code!

    Again, this isn't a screen from the 2012 re-release, this is the arcade version but fixed!