News: 11 March 2016 - Forum Rules
Current Moderators - DarkSol, KingMike, MathOnNapkins, Azkadellia, Danke

Author Topic: General NES Hacking Questions  (Read 24585 times)

abw

  • Sr. Member
  • ****
  • Posts: 253
    • View Profile
Re: General NES Hacking Questions
« Reply #80 on: April 25, 2019, 05:43:04 pm »
Okay, really embarrassing question but I can't seem to open the file in either program you recommended. Asar seems to ONLY accept SNES roms and xkas plus seems to only accept dissembled code. Since you've said you've been using the former, I feel like I'm missing something incredibly obvious.

Asar assumes a SNES ROM and memory model by default, but you can get it to work with NES ROMs by flipping a couple of switches. Since it doesn't come with much in the way of examples, give this a try:
Quote from: test.asm
; Example NES 6502 ASM file: writes a small infinite loop.
; Put this file in the same directory as asar and execute it with e.g.
;   copy /Y nul test.bin
;   asar -nocheck test.asm test.bin
; After that, test.bin should contain 64 KB of #$00 followed by "A9 00 4C 00 80"

norom   ; stop Asar from trying to apply SNES memory mapping to this NES code
org $10010   ; set the ROM file insertion point to 0x10010
base $8000   ; set the starting RAM address to $8000

loop:
   LDA #$00
   JMP loop

Edit: Also, I thought I was getting your explanation of Read Breakpoints. I thought to find Monster Length I'd place a Read Breakpoint for Slime which the Pointer points to as memory at B718 (to avoid possible confusion I'll just say that with Chicken Knife sharing his atlas script I thought I'd use the work you guys did in moving the Item and Monster names). I figured it'd have to be CPU memory because PPU memory doesn't let me put in B718 (I assume 3ff0 is the maximum?) And yet when I try to go in to a battle with a Slime, the Debugger doesn't trip anything. And yes I made sure it's enabled before you ask :p It's an easy thing to miss, so I wouldn't blame you if you asked.
Yeah, unless you're specifically looking for graphics stuff, a CPU breakpoint is probably what you want. The original monster list was at 0x1B728 a.k.a. $06:$B718, but I moved my monster list to 0x1D050, a.k.a. $07:$9040, so if you're looking for Slime, that's where it'll be.

Choppasmith

  • Full Member
  • ***
  • Posts: 110
    • View Profile
Re: General NES Hacking Questions
« Reply #81 on: April 27, 2019, 07:40:19 pm »
Asar assumes a SNES ROM and memory model by default, but you can get it to work with NES ROMs by flipping a couple of switches. Since it doesn't come with much in the way of examples, give this a try:Yeah, unless you're specifically looking for graphics stuff, a CPU breakpoint is probably what you want. The original monster list was at 0x1B728 a.k.a. $06:$B718, but I moved my monster list to 0x1D050, a.k.a. $07:$9040, so if you're looking for Slime, that's where it'll be.

I guess I figured what was there at the pointer would still work. Thanks.

Well I got the game to stop and saw
 0F:F47B:8D A0 60  STA $60A0 = #$0B

And thanks to laserlambert's testing I know that the line 1 of monster names gets cut off at 11 letters, so I figure that's GOTTA be it right? Am I right in thinking maybe this ISN'T a hardcoded value but something that's loaded in memory? I also know that the second line for monsters is limited to 9 letters which is at least 1 letter short for my new monster names and even when trying to make a breakpoint based on the Monster Line 2 pointer, I got a break but couldn't find anythign resembling a 9 letter limit. I even went BACK to DW1 and tried to recreate the steps you did in finding the length limit of HEAL. made a breakpoint and had it stop when casting and found

01:A868:AE E2 64  LDX $64E2 = #$0F

Note this is from my hack, so i figured this would have to be the new 15 letter limit for spells. If so, why does this use LDX? And how did you turn that into the ROM address of $77E9? Or am I just not looking at the right thing at all?

abw

  • Sr. Member
  • ****
  • Posts: 253
    • View Profile
Re: General NES Hacking Questions
« Reply #82 on: April 28, 2019, 09:21:17 am »
This sounds okay as far as it goes, but you haven't hit ROM yet, so you need to keep following the trail a bit further. Once you find the value you're looking for being read from somewhere in the $8000 - $FFFF range, then you can stop and convert the RAM address to a ROM address (/ get FCEUX to do it for you if you want).

0F:F47B:8D A0 60  STA $60A0 = #$0B
This shows that the game is about to store whatever the current value of A is to $60A0 (which was #$0B just before that instruction executed), so you'll need to find out where $60A0 became #$0B in the first place.

01:A868:AE E2 64  LDX $64E2 = #$0F
Similarly, this shows that the game is loading X with the value of $64E2, which happens to be #$0F; you'll need to find out how $64E2 became #$0F.

Choppasmith

  • Full Member
  • ***
  • Posts: 110
    • View Profile
Re: General NES Hacking Questions
« Reply #83 on: May 04, 2019, 06:40:23 pm »
Asar assumes a SNES ROM and memory model by default, but you can get it to work with NES ROMs by flipping a couple of switches. Since it doesn't come with much in the way of examples, give this a try:

Sorry, I did this and ran it, it made the bin file but I'm still getting the "Not an SNES ROM Error" You might have to dumb it down even more for me. (9_6)

This sounds okay as far as it goes, but you haven't hit ROM yet, so you need to keep following the trail a bit further. Once you find the value you're looking for being read from somewhere in the $8000 - $FFFF range, then you can stop and convert the RAM address to a ROM address (/ get FCEUX to do it for you if you want).
This shows that the game is about to store whatever the current value of A is to $60A0 (which was #$0B just before that instruction executed), so you'll need to find out where $60A0 became #$0B in the first place.
Similarly, this shows that the game is loading X with the value of $64E2, which happens to be #$0F; you'll need to find out how $64E2 became #$0F.

Okay so I used trace logger to log the data from the world map to the start of a battle to the breakpoint. Still not seeing what I want. I tried to put an Execution Breakpoint on 60A0, but I don't think I'm doing it right. When doubleclicking in the debugger it just gives me "K==#00" as the "condition" and when I try to change it I get an invalid condition.

Really sorry about this. It's hard not to feel like that guy who was trying to translate DW1 into Spanish. It's frustrating to feel so clueless, but this is uncharted territory for me and I'm determined to pick up SOMETHING new for later games.

On another note, the Assembly guide you posted is really handy, thanks! It's nice to know what all those 3 letter terms mean.

abw

  • Sr. Member
  • ****
  • Posts: 253
    • View Profile
Re: General NES Hacking Questions
« Reply #84 on: May 15, 2019, 06:06:35 pm »
Sorry for the delay in responding, I've been offline for the past couple of weeks!

Sorry, I did this and ran it, it made the bin file but I'm still getting the "Not an SNES ROM Error" You might have to dumb it down even more for me. (9_6)
I'm not sure how much further down I can go :P. Go to the directory containing Asar, copy the sample ASM I provided into a new file named test.asm, make an empty file named test.bin, and then open a command prompt in that directory and run "asar -nocheck test.asm test.bin". Works like a charm for me.

Okay so I used trace logger to log the data from the world map to the start of a battle to the breakpoint. Still not seeing what I want. I tried to put an Execution Breakpoint on 60A0, but I don't think I'm doing it right. When doubleclicking in the debugger it just gives me "K==#00" as the "condition" and when I try to change it I get an invalid condition.
For $60A0, you'd want a write breakpoint since you're looking for places where the game writes #$0B to $60A0. Execute breakpoints fire when the code at the address you set the breakpoint for gets executed (e.g. the F47B in "0F:F47B:8D A0 60  STA $60A0 = #$0B") and read/write breakpoints fire when the address you set the breakpoint for gets modified by some code (e.g. 60A0 is being written to in "0F:F47B:8D A0 60  STA $60A0 = #$0B").

With the trace log, you don't necessarily need to set any breakpoints; they just help to reduce the size of the log file you need to look through. If I do the same thing as you with an unaltered ROM, making a trace log from the world map to the start of a battle, it's a huge file but I can search it for $B718 (the start of the monster list) to get:
Code: [Select]
        $F422:A0 00     LDY #$00                                     A:18 X:00 Y:00 S:F7 P:nvUBdIzc
        $F424:AE A0 60  LDX $60A0 = #$0B                             A:18 X:00 Y:00 S:F7 P:nvUBdIZc
        $F427:B1 57     LDA ($57),Y @ $B718 = #$36                   A:18 X:0B Y:00 S:F7 P:nvUBdIzc
        $F429:C9 FF     CMP #$FF                                     A:36 X:0B Y:00 S:F7 P:nvUBdIzc
        $F42B:F0 07     BEQ $F434                                    A:36 X:0B Y:00 S:F7 P:nvUBdIzc
        $F42D:9D FF 00  STA $00FF,X @ $010A = #$5F                   A:36 X:0B Y:00 S:F7 P:nvUBdIzc
        $F430:C8        INY                                          A:36 X:0B Y:00 S:F7 P:nvUBdIzc
        $F431:CA        DEX                                          A:36 X:0B Y:01 S:F7 P:nvUBdIzc
        $F432:D0 F3     BNE $F427                                    A:36 X:0A Y:01 S:F7 P:nvUBdIzc
        $F427:B1 57     LDA ($57),Y @ $B719 = #$15                   A:36 X:0A Y:01 S:F7 P:nvUBdIzc
        $F429:C9 FF     CMP #$FF                                     A:15 X:0A Y:01 S:F7 P:nvUBdIzc
        $F42B:F0 07     BEQ $F434                                    A:15 X:0A Y:01 S:F7 P:nvUBdIzc
        $F42D:9D FF 00  STA $00FF,X @ $0109 = #$5F                   A:15 X:0A Y:01 S:F7 P:nvUBdIzc
        $F430:C8        INY                                          A:15 X:0A Y:01 S:F7 P:nvUBdIzc
        $F431:CA        DEX                                          A:15 X:0A Y:02 S:F7 P:nvUBdIzc
        $F432:D0 F3     BNE $F427                                    A:15 X:09 Y:02 S:F7 P:nvUBdIzc
        $F427:B1 57     LDA ($57),Y @ $B71A = #$12                   A:15 X:09 Y:02 S:F7 P:nvUBdIzc
        $F429:C9 FF     CMP #$FF                                     A:12 X:09 Y:02 S:F7 P:nvUBdIzc
        $F42B:F0 07     BEQ $F434                                    A:12 X:09 Y:02 S:F7 P:nvUBdIzc
        $F42D:9D FF 00  STA $00FF,X @ $0108 = #$5F                   A:12 X:09 Y:02 S:F7 P:nvUBdIzc
        $F430:C8        INY                                          A:12 X:09 Y:02 S:F7 P:nvUBdIzc
        $F431:CA        DEX                                          A:12 X:09 Y:03 S:F7 P:nvUBdIzc
        $F432:D0 F3     BNE $F427                                    A:12 X:08 Y:03 S:F7 P:nvUBdIzc
        $F427:B1 57     LDA ($57),Y @ $B71B = #$16                   A:12 X:08 Y:03 S:F7 P:nvUBdIzc
        $F429:C9 FF     CMP #$FF                                     A:16 X:08 Y:03 S:F7 P:nvUBdIzc
        $F42B:F0 07     BEQ $F434                                    A:16 X:08 Y:03 S:F7 P:nvUBdIzc
        $F42D:9D FF 00  STA $00FF,X @ $0107 = #$5F                   A:16 X:08 Y:03 S:F7 P:nvUBdIzc
        $F430:C8        INY                                          A:16 X:08 Y:03 S:F7 P:nvUBdIzc
        $F431:CA        DEX                                          A:16 X:08 Y:04 S:F7 P:nvUBdIzc
        $F432:D0 F3     BNE $F427                                    A:16 X:07 Y:04 S:F7 P:nvUBdIzc
        $F427:B1 57     LDA ($57),Y @ $B71C = #$0E                   A:16 X:07 Y:04 S:F7 P:nvUBdIzc
        $F429:C9 FF     CMP #$FF                                     A:0E X:07 Y:04 S:F7 P:nvUBdIzc
        $F42B:F0 07     BEQ $F434                                    A:0E X:07 Y:04 S:F7 P:nvUBdIzc
        $F42D:9D FF 00  STA $00FF,X @ $0106 = #$5F                   A:0E X:07 Y:04 S:F7 P:nvUBdIzc
        $F430:C8        INY                                          A:0E X:07 Y:04 S:F7 P:nvUBdIzc
        $F431:CA        DEX                                          A:0E X:07 Y:05 S:F7 P:nvUBdIzc
        $F432:D0 F3     BNE $F427                                    A:0E X:06 Y:05 S:F7 P:nvUBdIzc
        $F427:B1 57     LDA ($57),Y @ $B71D = #$FF                   A:0E X:06 Y:05 S:F7 P:nvUBdIzc
        $F429:C9 FF     CMP #$FF                                     A:FF X:06 Y:05 S:F7 P:NvUBdIzc
        $F42B:F0 07     BEQ $F434                                    A:FF X:06 Y:05 S:F7 P:nvUBdIZC
        $F434:60        RTS (from $F3FE) --------------------------- A:FF X:06 Y:05 S:F7 P:nvUBdIZC
which shows that the game is copying data from $B718-$B71D to $010A-$0106 (stored backwards) until it reads a #$FF (monster name end token) or X reaches #$00, and that X was set based on $60A0.

Spoiler:
As a side note, a little further down, you'll see the game copies the monster name from $00FF,X to $6119,Y, where it will eventually get used by the [name] control code:
Code: [Select]
      $FCE8:AE A0 60  LDX $60A0 = #$0B                             A:FF X:06 Y:00 S:F9 P:nvUBdIZc
      $FCEB:BD FF 00  LDA $00FF,X @ $010A = #$36                   A:FF X:0B Y:00 S:F9 P:nvUBdIzc
      $FCEE:99 19 61  STA $6119,Y @ $6119 = #$25                   A:36 X:0B Y:00 S:F9 P:nvUBdIzc
      $FCF1:C8        INY                                          A:36 X:0B Y:00 S:F9 P:nvUBdIzc
      $FCF2:CA        DEX                                          A:36 X:0B Y:01 S:F9 P:nvUBdIzc
      $FCF3:D0 F6     BNE $FCEB                                    A:36 X:0A Y:01 S:F9 P:nvUBdIzc
...

Searching backwards in the trace log for $60A0, the very first result is this:
Code: [Select]
     $FC92:A9 0B     LDA #$0B                                     A:00 X:00 Y:00 S:FA P:nvUBdIZc
     $FC94:8D A0 60  STA $60A0 = #$01                             A:0B X:00 Y:00 S:FA P:nvUBdIzc
So $60A0 got its value from A, and A got its value set based on $FC93 (the #$0B part of "LDA #$0B"), which unlike $60A0 comes from ROM i.e. 0x3FCA3. Ta-da!

With that as a guide, see if you can find where the maximum length of the second "line" of monster names in the main dialogue box is set (hint: it's #$09 and it's not too far away from where the maximum length of the first "line" is set), and then see if you can track down where the lengths for each of the two lines in the monster menu list get set (hint: same values as the dialogue box lengths, but set in a different area of the code; they'll still be in your trace log, though).

Really sorry about this. It's hard not to feel like that guy who was trying to translate DW1 into Spanish. It's frustrating to feel so clueless, but this is uncharted territory for me and I'm determined to pick up SOMETHING new for later games.

On another note, the Assembly guide you posted is really handy, thanks! It's nice to know what all those 3 letter terms mean.
Yeah, if you're not used to this kind of thing, it can take a while to really sink in. Just keep at it and you'll get the hang of it sooner or later!

Choppasmith

  • Full Member
  • ***
  • Posts: 110
    • View Profile
Re: General NES Hacking Questions
« Reply #85 on: May 18, 2019, 07:11:35 am »
Hey! Glad to see your back and that you're okay! I was genuinely worried for a bit there that something bad might've happened that would've taken you out of the picture. While I'm sure I could've found help, you're a cool guy and it would've been a bummer to not be able to finish this while learning how to do it on my own. But anyway...

I'm not sure how much further down I can go :P. Go to the directory containing Asar, copy the sample ASM I provided into a new file named test.asm, make an empty file named test.bin, and then open a command prompt in that directory and run "asar -nocheck test.asm test.bin". Works like a charm for me.

I wonder if it's a Windows thing, are you on 10? When I try to run that very same command from the command line, it seems to work for a second but just takes me back to the command line with a modified test.bin and trying to run asar again just gives me the usual.


Searching backwards in the trace log for $60A0, the very first result is this:
Code: [Select]
     $FC92:A9 0B     LDA #$0B                                     A:00 X:00 Y:00 S:FA P:nvUBdIZc
     $FC94:8D A0 60  STA $60A0 = #$01                             A:0B X:00 Y:00 S:FA P:nvUBdIzc
So $60A0 got its value from A, and A got its value set based on $FC93 (the #$0B part of "LDA #$0B"), which unlike $60A0 comes from ROM i.e. 0x3FCA3. Ta-da!

With that as a guide, see if you can find where the maximum length of the second "line" of monster names in the main dialogue box is set (hint: it's #$09 and it's not too far away from where the maximum length of the first "line" is set), and then see if you can track down where the lengths for each of the two lines in the monster menu list get set (hint: same values as the dialogue box lengths, but set in a different area of the code; they'll still be in your trace log, though).

So on one hand I DID find the second line monster value of 9 at 3FCBF, though I'm not sure how you turned FC93 to 3FCA3. I mean yeah you added 30010 but where did THAT come from? It doesn't quite match up with what you were talking about RAM to ROM addresses on the last page.

And I made a honest effort, but I can't seem to find what you're talking about for the Monster List window. I DID find the subroutine FCE8 in my trace log and while trying to understand it still makes my eyes go @_@ I can understand enough that there's two sections concerning whether or not the Monster needs that second line printed in the window. And I can see that it loads the value as X as opposed to A in the main dialog window. But can't seem to find anything in my log about the value being stored in 60A0.
« Last Edit: May 18, 2019, 08:03:33 am by Choppasmith »

abw

  • Sr. Member
  • ****
  • Posts: 253
    • View Profile
Re: General NES Hacking Questions
« Reply #86 on: May 18, 2019, 12:57:54 pm »
Hey! Glad to see your back and that you're okay! I was genuinely worried for a bit there that something bad might've happened that would've taken you out of the picture. While I'm sure I could've found help, you're a cool guy and it would've been a bummer to not be able to finish this while learning how to do it on my own. But anyway...
Yeah, every now and then I go offline for a couple of weeks for IRL stuff, though one time it was for an entire year!

I wonder if it's a Windows thing, are you on 10? When I try to run that very same command from the command line, it seems to work for a second but just takes me back to the command line with a modified test.bin and trying to run asar again just gives me the usual.
I'm actually on Windows 7 (cuz eww 8 and 10), but if you're getting a modified test.bin, then it sounds like Asar is working. Try changing test.asm and see if you get a different test.bin.

So on one hand I DID find the second line monster value of 9 at 3FCBF,
Nice job!

though I'm not sure how you turned FC93 to 3FCA3. I mean yeah you added 30010 but where did THAT come from? It doesn't quite match up with what you were talking about RAM to ROM addresses on the last page.
If the Trace Logger included bank number, $FC93 would show up as $0F:$FC93, and $0F * $4000 - $8000 - $01 * $4000 + $FC93 + $10 = $3FCA3 (i.e. <ROM bank number> * <bank size> - <base RAM-to-ROM offset> - <RAM bank number> * <bank size> + <RAM address> + <iNES header size>). Or find $FC93 in the Hex Editor -> right click -> Go Here In ROM File.

And I made a honest effort, but I can't seem to find what you're talking about for the Monster List window. I DID find the subroutine FCE8 in my trace log and while trying to understand it still makes my eyes go @_@
Ah, $FCE8's not so bad :P. When you're trying to wrap your head around a block of code, remember that the Debugger and Trace Logger give you two different views of the same thing; sometimes it's easier to understand what's going on when looking at one instead of the other. Here's the basic code you'll see in the Debugger:
Code: [Select]
0F:FCE8:AE A0 60 LDX $60A0
0F:FCEB:BD FF 00 LDA $00FF,X
0F:FCEE:99 19 61 STA $6119,Y
0F:FCF1:C8      INY
0F:FCF2:CA      DEX
0F:FCF3:D0 F6    BNE $FCEB
0F:FCF5:60      RTS

and here's a commented version:
Spoiler:
Code: [Select]
; copy $60A0 bytes of data from $00FF,X to $6119,Y
; X is used as a read index, Y as a write index
; data gets copied in reverse order
; IN:
; A/X/C = irrelevant
; Y = current write index
; OUT:
; A = last byte copied (but calling code doesn't care)
; X = 0
; Y = current write index; this is important since the calling code needs to remember the write index from the first segment when dealing with the second segment
; C = unchanged
; control flow target (from $FC9D, $FCBA)
0x03FCF8|$0F:$FCE8:AE A0 60 LDX $60A0 ; initialize the read index to the value of $60A0
; control flow target (from $FCF3)
0x03FCFB|$0F:$FCEB:BD FF 00 LDA $00FF,X ; read data from $00FF,X
0x03FCFE|$0F:$FCEE:99 19 61 STA $6119,Y ; write data to $6119,Y
0x03FD01|$0F:$FCF1:C8      INY ; increment write index
0x03FD02|$0F:$FCF2:CA      DEX ; decrement read index
0x03FD03|$0F:$FCF3:D0 F6    BNE $FCEB ; if the read index is not 0, loop back to $FCEB
0x03FD05|$0F:$FCF5:60      RTS ; otherwise the read index is 0, so we're done

I can understand enough that there's two sections concerning whether or not the Monster needs that second line printed in the window. And I can see that it loads the value as X as opposed to A in the main dialog window. But can't seem to find anything in my log about the value being stored in 60A0.
If you keep looking for reads on $B718, you should notice that the game scans through the monster name list a few times while starting a battle; the last one is for the monster list menu (you can also easily isolate this one by starting a trace log just before pressing FIGHT, as the monster menu gets redrawn after that point). At the spot where the breakpoint fires, you'll be in the same block of code as for the main dialogue window, but coming from a different place (the stack will show something like FA,F3,C5,EF,..., which means the last JSR before you got to this code ended at $F3FA [so started at $F3F8], and the JSR before that ended at $EFC5 [$EFC3]). Searching backwards for $60A0 from there should quickly get you to:
Code: [Select]
              $EFA9:A9 0B     LDA #$0B                                     A:00 X:18 Y:07 S:F1 P:nvUBdIZc
              $EFAB:8D A0 60  STA $60A0 = #$00                             A:0B X:18 Y:07 S:F1 P:nvUBdIzc
and searching forwards will eventually (after a long series of other uses for $60A0) get you the maximum length of the second line too (or if you look in the Debugger, the code for handling the second line of monster names is only a few lines of ASM away from the code for handling the first line).

Choppasmith

  • Full Member
  • ***
  • Posts: 110
    • View Profile
Re: General NES Hacking Questions
« Reply #87 on: June 13, 2019, 09:43:40 pm »
Okay, so first of all, sorry for the delay. I mean yeah I work but a big reason is I just got nice CPU upgrade so I've been finally able to play DQXI among other things, and I think the last time I looked at this (about a week ago) my brain was like "Nope, not today..." but the Smash reveal made me go... "yeah I need to get back to this." If anything I'm just eager to get to 3 and finish the NES Erdrick trilogy at the very very least.

Anyway. Good news is I not only figured out the monster name menu length (though to your credit, you made it pretty easy in your last post) but I ALSO got the spell length for dialog.


(yeah I swapped out Heal for Holy Protection as a quick way to test)

I'm not sure if I want to mess with the menu length and keep it abbreviated like I did DW1 (because I know unlike DW1 not only the spell menus are done differently, but there are many more long spell names too). Otherwise that's all taken care of.

Bad news it, and I'm so sorry, but the ASM stuff is still stumping me. More, the asar usage than anything else.
I'm actually on Windows 7 (cuz eww 8 and 10), but if you're getting a modified test.bin, then it sounds like Asar is working. Try changing test.asm and see if you get a different test.bin.

Is the bin file supposed to be viewable in text form? Because opening it up in Notepad+ just gives me junk so I have no idea what to look for.

abw

  • Sr. Member
  • ****
  • Posts: 253
    • View Profile
Re: General NES Hacking Questions
« Reply #88 on: June 14, 2019, 09:21:41 am »
Okay, so first of all, sorry for the delay. I mean yeah I work but a big reason is I just got nice CPU upgrade so I've been finally able to play DQXI among other things, and I think the last time I looked at this (about a week ago) my brain was like "Nope, not today..." but the Smash reveal made me go... "yeah I need to get back to this." If anything I'm just eager to get to 3 and finish the NES Erdrick trilogy at the very very least.
Heh, I hear DQXI is a leading cause of delay among DQ NES hackers ;).

Anyway. Good news is I not only figured out the monster name menu length (though to your credit, you made it pretty easy in your last post) but I ALSO got the spell length for dialog.
Congrats! It sounds like you must be getting close to finishing with this game - what's still left?

Bad news it, and I'm so sorry, but the ASM stuff is still stumping me. More, the asar usage than anything else.
Is the bin file supposed to be viewable in text form? Because opening it up in Notepad+ just gives me junk so I have no idea what to look for.
Just as viewable as any other ROM, i.e. not very :P. Like I said earlier, that sample ASM file should generate a file with 64 KB of zero bytes followed by the bytes "A9 00 4C 00 80", so open it up in a hex editor, scroll to the very bottom, and if you see those bytes, then it's working.

For real world usage, you'd want to adjust the org/base values to the ROM/RAM addresses you want to write to, replace the useless infinite loop ASM I concocted for the sample with whatever code you actually want to insert, and then run it against a real ROM instead of an empty file.