It is currently Thu Mar 30, 2017 1:27 pm

All times are UTC - 7 hours





Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Oct 03, 2014 12:07 am 
Offline
User avatar

Joined: Thu Dec 03, 2009 7:27 am
Posts: 150
Did anyone play these games (for the SNES) as a kid? (or maybe still once in a while when they were older?) Anyways, I fired it up the other day, and I started thinking about how the game actually works. For the uninformed, there are many teams, and many players on each team, each of whom has unique stats (speed, intelligence, agility, etc). Naturally, making the best team means picking the best players. (You can trade players between teams.) I thought that it'd be nice to dump the stats of all the players so they can be sorted/viewed/compared easily in excel, and set out to do it, but I was quickly stumped, because:
(1) The names of the players are not stored in a simple way. Doing relative searches for names in a hex editor yielded nothing. It must use some kind of multi-byte encoding.
(2) The stats aren't stored in a simple way. They're nominally between 0 and 100, but there's only multiples of 5. Thus, it's homo-morphic-whatever to a scale of 0 to 20, so maybe they're stored like that. Or maybe a non-multiple of 5 is actually possible; I don't know.

But even if I dumped all the stats, I don't know what each means. Some are obvious, like SPD (speed), but what does INT (intelligence) do for a player? Furthermore, if you go into the substitutions screen during a game, you see even more stats that you don't see on the trading screen. (The trading screen lists only SPD, INT, and AGI.) I can deduce what most of the acronyms mean, but some baffle me, like PCVR. (Cornerbacks and safeties have it. Maybe it means "P---- CoVeRage"?) Searching Google for football acronyms hasn't helped. To further confuse things, sometimes a statistic is just a clone of another, like INT and ACC (accuracy), and AGI and SCR (scramble) for quarterbacks, and INT and AWR (awareness) for linebackers. Yet for wide-receivers, INT seems to be unique, and not of clone of either BRTK or HND (break-tackle and hands).

Does anybody have some suggestions about how to do this? Has somebody already dumped the stats for these games?


Top
 Profile  
 
PostPosted: Fri Oct 03, 2014 6:55 pm 
Offline
User avatar

Joined: Fri Nov 19, 2004 7:35 pm
Posts: 3796
SNES emulators seem to be mostly in the dark ages for debuggers, there's nothing as powerful as FCEUXD for the SNES. NO$SNS looks okay, but it doesn't seem to have data breakpoints.

Well never fear, you can still get 'ghetto' data breakpoints by sticking the entire emulator inside a debugger (like Ollydbg), and use data breakpoints against the emulator itself. Find where the ROM is stored in process memory, and where the RAM is stored. Use a cheat finder (like Cheat Engine or something) if you need to find RAM values.
After you hit your RAM breakpoint, you can stick a breakpoint on the entire ROM, and see what address gets hit next, that tells you where the program counter is.

_________________
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!


Top
 Profile  
 
PostPosted: Fri Oct 03, 2014 8:58 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
Doesn't the game manual explain what the player attributes mean and do?

If you get exceedingly/stupidly stuck, let me know and I can ask one of the guys who programmed/worked on those games. He probably remembers shit like that after all these years.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 2:58 pm 
Offline
User avatar

Joined: Thu Dec 03, 2009 7:27 am
Posts: 150
Quote:
SNES emulators seem to be mostly in the dark ages for debuggers, there's nothing as powerful as FCEUXD for the SNES. NO$SNS looks okay, but it doesn't seem to have data breakpoints.

I downloaded some emulator called "sleuth", and it has a debugger, but it didn't help. When I used it, it claimed that the game was doing "LDA Cx-xx-xx", which doesn't make sense, because the rom goes up to only 20-00-00.

Quote:
Well never fear, you can still get 'ghetto' data breakpoints by sticking the entire emulator inside a debugger (like Ollydbg), and use data breakpoints against the emulator itself. Find where the ROM is stored in process memory, and where the RAM is stored. Use a cheat finder (like Cheat Engine or something) if you need to find RAM values.

After you hit your RAM breakpoint, you can stick a breakpoint on the entire ROM, and see what address gets hit next, that tells you where the program counter is.

I didn't think of that... how inventive.

Quote:
Doesn't the game manual explain what the player attributes mean and do?

I got both games second-hand/used, so I don't have any manual or box. I can't find a digital copy of the manual either. Anyways, thinking about it, I bet PCVR means "Passing CoVeRage".

Quote:
If you get exceedingly/stupidly stuck, let me know and I can ask one of the guys who programmed/worked on those games. He probably remembers shit like that after all these years.

(1) I doubt that the same guys still work at EA after 16 years.
(2) Do you mean you'd talk to them in person somehow, or send them an email?

***

Also, I think I found a glitch/oversight. When you simulate games for a whole season, and then check stats for each player at the end of the season, you see that ILB3 (third inside linebacker) and OLB2 (second outside linebacker) have more tackles and sacks than ILB ((first) inside linebacker) and ROLB (right outside linebacker). If you trade to get the best linebackers, your team will do better if they're in the ILB3 and OLB2 positions than the ILB and ROLB positions. Thus, I think that for some reason, the game uses ILB3 and OLB2 (second stringers) insead of ILB and ROLB (first stringers) when simulating games, which surely doesn't make sense.

I still don't know what stats do in the game exactly. Recently, I traded a team's cornerbacks for all the (statistically) best cornerbacks from other teams, but when I simulated a season, the team actually did *worse*.

One may say: "Maybe it's just luck.", but simulating a season seems to be very regular/procedural. If you simulate a season for a set of players for each team, you will get the same results every time.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 3:45 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 18006
Location: NE Indiana, USA (NTSC)
FinalZero wrote:
I downloaded some emulator called "sleuth", and it has a debugger, but it didn't help. When I used it, it claimed that the game was doing "LDA Cx-xx-xx", which doesn't make sense, because the rom goes up to only 20-00-00.

ROM in the Super NES usually appears mirrored several times. For example, HiROM appears at both $C00000-$FFFFFF and $400000-$7DFFFF, and the second half of each 64K bank appears at $008000-$3FFFFF and $808000-$BFFFFF.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 4:01 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
FinalZero wrote:
Quote:
If you get exceedingly/stupidly stuck, let me know and I can ask one of the guys who programmed/worked on those games. He probably remembers shit like that after all these years.

(1) I doubt that the same guys still work at EA after 16 years.
(2) Do you mean you'd talk to them in person somehow, or send them an email?

They've worked all over the place (Tiburon, EA, Firaxis, etc.), and one even has his own company. That has zero bearing on anything; how much they remember from then is a different question, but it's often surprising how much "sticks" when it's something you're working on day in and day out for a year plus. A couple are dudes I grew up around from the Apple II scene, who ended up working at EA and did many of the Madden games (particularly SNES). And no, I usually communicate with them on Twitter unless there's something more long-winded has to be discussed. I'm sure you could dig them up if you wanted, there are tons of game sites that list off their names in the credits + you can Google. :)

I'd suggest trying to find someone with an original copy of the game who still has the manual. Would be willing to bet the acronyms are documented/explained there. Possibly ask on GameFAQs' boards/forums for the game. I think you might be surprised. :)


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 5:23 pm 
Offline
User avatar

Joined: Thu Dec 03, 2009 7:27 am
Posts: 150
Quote:
ROM in the Super NES usually appears mirrored several times. For example, HiROM appears at both $C00000-$FFFFFF and $400000-$7DFFFF, and the second half of each 64K bank appears at $008000-$3FFFFF and $808000-$BFFFFF.

Ah, okay. How do I tell what's in HiROM though?

Quote:
And no, I usually communicate with them on Twitter unless there's something more long-winded has to be discussed.

Well, if you're willing, could you ask them how they stored a player's names and stats in Madden 97/98? If I know that, I can probably find it in the rom without trying to use a debugger.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 7:00 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 18006
Location: NE Indiana, USA (NTSC)
Assuming your ROM has a valid internal header and no floppy copier header:
$20 or $30 at $7FD5 means LoROM (32K banks), and $21 or $31 at $FFD5 means HiROM (64K banks). Add $200 for a floppy copier header.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 8:18 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
Screwed around with this tonight, and sent some of the Tiburon guys some notes asking for advice. No promise they'll respond (well one probably will, but I bet the response will be "not sure, I just did the sound engine, sorry").

Madden 97 (and probably 98) is mode 21 (hirom). What makes this game a bit tedious to try and reverse-engineer is the fact that it uses mode 7 exclusively. Even more annoying/complex is the fact that the game uses SRAM (8KBytes worth).

Given what I know of the Tiburon guys, I'd be willing to bet money the strings aren't in pure ASCII -- they're going to be either offset by some value or XOR'd (cheap encryption), and possibly the graphics are the same; I'm absolutely certain there is no "multi-byte encoding" (this is a classic console, not a PC with Unicode).

The tiles used for text display on the "Records" screen (which uses mode 1) are 2bpp, on BG3 with priority bit set. That's probably the easiest place to use for reverse-engineering, because the actual game itself uses mode 7, so reverse-engineering from text there is tedious as hell given how the graphics work. It also makes heavy use of HDMA.

I can find some of the on-screen character records/strings in bank $7e/7f workram (when things are displayed), particularly $7e, so that's a place to start with, but workram is heavily used by this game (no surprise).

Doesn't help that the string search function in NO$SNS causes the emulator to go into an infinite loop (hence crash), not to mention whatever "internal stats" does in NO$SNS outright crashes it. I'll poke around in SNES9x + debugger later, but gut feeling is that it might require a combination of NO$SNS and SNES9x debugger to figure all this out.

I don't have any familiarity with the game (nor do I particularly like sports games in general, especially American football) so I'm just tinkering around. Figuring all this out might be easier through save states, but only if *everything* ends up in RAM (I'd be inclined to think it'd be a mix of RAM and ROM through indirect addressing).

On the bright side: it does look like some of the "record statistics" are consistent upon game start (on a fresh load), so that's something to key off of.

Edit: looks like some player names/etc. are stored in SRAM in ASCII, probably along with specific stats. The names that show up in there by default are names of those involved in the game's development (I recognise a good number of the surnames ;-) ). But obviously the ROM has the same data somewhere, along with the rest of the teams' players, just encoded in some manner like I said above. I don't know if this game lets you make your own players, but if it does, it may be possible to set up a breakpoint somehow on SRAM writes and work it backwards from there.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 8:27 pm 
Offline
User avatar

Joined: Thu Dec 03, 2009 7:27 am
Posts: 150
Quote:
Given what I know of the Tiburon guys, I'd be willing to bet money the strings aren't in pure ASCII -- they're going to be either offset by some value or XOR'd (cheap encryption), and possibly the graphics are the same; I'm absolutely certain there is no "multi-byte encoding" (this is a classic console, not a PC with Unicode).

(1) The game does store some strings as ASCII, but not the players' names.
(2) When I did a relative search, it found nothing, so they can't simply be offset.
(3) Maybe they were XOR'd, I'll search. If they were XOR'd, I don't understand why they thought they needed encryption.
(4) I mis-spoke when I said "multi-byte encoding". I meant "multi-character encoding". That is, a byte may stand for 2 characters instead of only 1. It'd give easy compression for a game with lots of text.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 8:31 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
Regarding use of XOR for simple encryption: because it's easy to implement, very light on the CPU (hardly any time needed), and keeps people from screwing around with the ROM (piracy, spin-offs, etc.). There was a lot of focus on this, including anti-piracy measures, in later SNES game generations. I would expect no different from the Tiburon guys, given that some of their programmers also worked on ClayFighter, which had anti-piracy measures in it (if I remember right, if a specific copier is detected, it issues commands to the copier to format the floppy disk that's inserted). All the guys I know are old Apple IIGS guys, which is how and where I know the from, and they used similar methodologies in anything they did on the IIGS.

No idea about the text stuff -- like I said, everything is speculation until someone actually starts working it out + reverse-engineering it. But go ahead and look in SRAM, you'll see what I'm talking about (and if you need name references, go see GameFAQs' entry for it, under Game Credits. Some of the names there are wrong though (for example the main audio engineer was Ian Schmid, not Brian Schmidt (he was some other audio dude unrelated to all that)), but the surnames are right.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 8:50 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
Well you're in luck -- the guy I asked responded:

Quote:
All the text (which I think includes the names) was in a 5-bit compressed form in the ROMs. Attributes were bitfields, IIRC. The created players in battery RAM were in a slightly more accessible form, I think.

So there you go -- not encrypted, but just compressed. Compression methodology unknown, but makes sense given that the ROM space is pretty much 100% used. Attributes being bitfields is a little vague, but chances are it's probably something like 4 bits per attribute (so values 0-15), or maybe more than that, but how those affect the mathematical calculations is unknown too.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 9:04 pm 
Offline
User avatar

Joined: Thu Dec 03, 2009 7:27 am
Posts: 150
Quote:
So there you go -- not encrypted, but just compressed. Compression methodology unknown, but makes sense given that the ROM space is pretty much 100% used. Attributes being bitfields is a little vague, but chances are it's probably something like 4 bits per attribute (so values 0-15), or maybe more than that, but how those affect the mathematical calculations is unknown too.

Thank you very much! With that in mind, I should be able to find it easily. The attributes are probably at least 5 bits each too, because 2**5 == 32, and 2**4 == 16. There's 21 possible states (because each stat is 0-100 and a multiple of 5).


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 9:08 pm 
Offline
User avatar

Joined: Sun Sep 19, 2004 9:28 pm
Posts: 3192
Location: Mountain View, CA, USA
You're welcome. :-) Now I wish I had these kind of inner-company contacts at ChunSoft, because I'd kill to have an hour conversation with those who worked on Otogirisou.


Top
 Profile  
 
PostPosted: Sat Oct 04, 2014 10:24 pm 
Offline
User avatar

Joined: Thu Dec 03, 2009 7:27 am
Posts: 150
Well, an hour later, I still can't find it. There are 26 letters in the alphabet, and 2**5 == 32, so there should be 6 (== (32 - 26)) combinations of letters to check for. Yet I find nothing when I search for each. =/

(Maybe I should check for XOR'd combinations?)

Edit: Wow, my excel clone doesn't have a bitxor function. *sigh* time to fire up python and make a script.
Edit2: It looks like even excel proper didn't have bitxor until the 2013 version. I'm amazed.
Edit3: Searching for xor'd combinations yields nothing either.
Edit4: Thinking about stats more, they actually probably are 4-bit values. Testing it some, the smallest value is actually 30. There are conveniently 15 multiples of 5 in 30-100. (I also note that the create-a-player 100-yard dash (the trial that determines speed) is very difficult. I don't think I ever got above 30 (the lowest possible value) as a kid.)
Edit5: Btw, can you ask him how trades between teams were recorded? And how they simulated games?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next

All times are UTC - 7 hours


Who is online

Users browsing this forum: adam_smasher and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group