SCV - SNES Code Visualiser

Hello fellow SNES lovers, this post is to discuss my SNES Code Visualiser, otherwise know as SCV. This code was hacked together very quickly, just to show an idea - it's not a finished product and I'd love to hear suggestions for improvements.

Basically I started thinking about what it would be like to plot the CPU program counter. I figured it would look like a 'pulse', and I even had a cool name for it, I called it the program counter pulse. In slow motion, I imagined seeing the PC going across the screen, following the same paths again and again. And occasionally new paths would be seen as player input forced different branch and jump logic to become true.

It was that point that stuck to me. What if we could visually identify specific code, as it happens?

The way I have achieved this is by taking advantage of the small ROM page size of the SNES. 16-bit addressing means page size is limited to 2^15 bytes when loROM is being used and 2^16 bytes with hiROM. If you assume the worst case scenario of hiROM, you can actually visually represent every single byte on the page in a neat 256 x 256 pixel square (256*256=2^16)!

To show you how effective this can be, I'm going to run you through an example usage, to find some really arcane code. Since F-Zero is my favourite, let's find the code that is executed everytime a car jumps onto and over a ramp.

Now keep in mind, the old way this would have worked is probably by tracing through the ROM over a couple of days, writing comments on a disassembled listing of the ROM, until you grasp the mechanics of the program enough to isolate events like jumping on a ramp. With this debugger, you can isolate the code in less than one minute.

Here's how: you start the ROM up

and get past the title screen, choose 'practice mode' so no other cars are bothering you, choose your car, league etc, and you'll notice as you progress further in to the game, more and more red pixels are lighting up on the screen immediately to your right. So keep going until you get to the race screen.

Now suddenly it's like a fireworks display, many many more pixels are turning red. Each of these pixels, gentlemen, is the representation of an instruction that has been executed in the ROM. In this case, you are looking at bank 0, but you can change the bank by pressing page up or down. Of course, tracking is done on all pages simultaneously, so you never miss anything.

So you start the race, and drive around a bit. Collide in to a wall. More red pixels suddenly light up. Is there any doubt these pixels represent the code that deals with collisions? Nonetheless, as more and more pixels are triggered, it's getting a bit hard to differentiate what code is what. Actually this plays to our advantage, because the more pixels that turn red, the more code you have identified as not being part of the ramp jumping routine.

Eventually, no more pixels are turning red. You are ready. Proceed to the ramp, rev your engines.

Press the 'end' key to change the color of any new pixels to green, and fly over the ramp. Immediately you see a bunch of suspicious green pixels. The tool immediately disassembles all the green pixels in to assembly language. But it's not just a disassembly - what you are now seeing on the screen is an actual trace of the code that occurred in the past, starting with the last red pixel to be run before the green pixels started. This first instruction in the trace, the red pixel which calls the first green pixel, is our testing branch.

If you press page down, you can see ROM bank 3's pixels, including a few tiny green ones. The white pixel (it's hard to see) is the highlighted ASM instruction on the right (aka. the branch).

For fun, let's NOP it. Select the instruction and press 'N'. This replaces the two bytes that make up the branch instruction with 0xEA, 0xEA. Now restart the ROM, and try to jump over the ramp. You can't. Congratulations you have just delved deep inside a SNES ROM and made a change in about 1 minute. That is the power of this tool.

A New Graphical Reverse Engineering Tool

When I was working on F-Zero VS, I took a screenshot of my desktop to remember my work environment:

Pictured: Snes9x with Geiger's debugger mod, and Notepad with TRaCER output.

When it comes to reverse engineering SNES ROMs, this is pretty much the "state-of-the-art", given the tools available are scarce. While reverse engineering work is enjoyable, its also tedious, inefficient and slow.

I have been contacted by many people asking me to do various hacks, including converting many different games to multiplayer. I really would love to help but finding the time seems impossible for me. If only there was a faster way... I love reverse engineering for all platforms, not just SNES, and want to see new developments in this field. I am thinking of writing a SNES tool that shows code execution graphically, also allowing you to quickly isolate code sections.

F-Zero VS Source Code

I have released the source code (I know I should have done this earlier) as people have been requesting it to make their own modifications and improvements.

You are free to make any modifications you wish to the code. Let me know if you make any changes and I will post the updates on this site.

Here's the code: http://www.megaupload.com/?d=VYL5SA35 Contact me if you want the source and the files are not there anymore.

Note: The source comes in two parts, the snes9x emulator code and the server code. The Snes9x code is compiled with MS Visual C++ 6.0. The server code is compiled with Visual C# Express 2008 which is a free download from Microsoft's website.

F-Zero VS v1.1 release

So far no bugs have been reported, which is a good sign.

However I have decided to release v1.1, which is just a very minor update. The only change since v1.0 is that a ROM check now occurs when you first start. This ROM check basically warns you if you do not have the correct version of the ROM (just a checksum comparison). Remember the correct version is 'F-Zero (U) [!].smc'.

You can choose to ignore this warning if you know you are using a hacked ROM (with new tracks for example) and are confident it will work. But if it doesn't, it means the code FZVS is supposed to be patching is not at the right locations.

http://www.zophar.net/snes/fzvs.html

http://www.filesavr.com/fzvsv11

F-Zero VS v1.0 release

Hello again,

Over the Christmas break I got to working on the code again after a long break and now finally, I have released v1.0.

You probably need the .NET Framework installed on your PC to run the server (you should have it installed anyway).

Get the package here: http://www.filesavr.com/fzvsv10_1

How to use it:

1) First, load FZVS_Server.exe. Specify the UDP port number you want to listen on, and hit the 'listen' button. Then select the number of players for the race and the track name, and press 'new race'.

2) You need to have the F-Zero ROM, which I cannot include in the package (obviously). There are many versions and I'm assuming that they all work, but if you notice the game not working properly, use the GoodSNES ROM version, which is called 'F-Zero (U) [!].smc'. This file should be in the same directory as the .exe files.

3) Start FZVS_Client.exe. Specify the IP address and port number the server is listening on (see point 1 above) and press OK. The game should start. Choose a car.

4) Repeat step 3, but run the FZVS_client.exe on other computers across the network or even on the same PC (if you have two gamepads on the one PC for example).

5) Race!

6) When all racers have finished, stop the race on the server by pressing 'Stop Race'. The FZVS clients should return to the main menu automatically. Then you can press 'New Race' again and select cars etc... make sure you press the new race button BEFORE you select the cars.

I recommend you play through a local network to minimise latency.

Another option is to run multiple clients on the same PC. My Intel Quad Core Q6600 @ 2.40GHz PC can handle four clients running on it at once through localhost (127.0.0.1) with ease... with four game pads and a big screen this is a good option.

Another note: if you have a multiple players in one room you probably don't want each FZVS client playing the music as this will result in multiple versions of the same song being played (ever so slightly out of sync). I added an option under Sound->Toggle Music which will disable music but leave the race sound effects etc enabled.

Finally: once the race starts you should not access the menu bar or move/resize the window. In these cases the game will pause and lose sync with the other players. It's not that big of a deal but it will cause the race timers to be out of sync, which may matter to some people.