Final Fantasy Tactics Advance WRAM management

Bregalad · December 29, 2019, 05:32:32 AM

Hello folks,

I want to hack Final Fantasy Tactics Advance, and for that I need some free WRAM which I can use for whathever usage I feel like. Memory analysis shows that much of RAM in the 0x2037C00-0x203FFFF range appears unused...

...except that it's not really unused ! This area is cleared at least twice, when booting the game and when starting a new game. God knows how many times the entiere RAM is cleared in other circumstances, so I can't rely on hacking those two particular instances, it would be too dangerous to miss other circumstances where the whole area is cleared again.

I'm totally puzzled by how Final Fantasy Tactics Advance manages it's WRAM. Apparently, only a small chunk at the start until 0x2008E60 or similar is actually used for fixed location vraiables like our classical romhacking stuff. The rest seems to be dynamically managed, some kind of stack or heap maybe ? Even worse, the management doesn't clear the same range - when booting the game 0x200F3C4-0x203FFFF is cleared, and when starting a new game 0x20159D0-0x203FFFFF is cleared. Also, the japanese game has slightly different offsets - but the EU game uses the same offsets as the american ROM (shown here).

In all cases I'm puzzled and I dont know how I am supposed to get my extra free RAM I need for my hack. Has anyone figured out how this mysterious WRAM management system/heap works ?

Cyneprepou4uk · December 29, 2019, 10:07:02 AM

Hack the game to disable clearing that unused range maybe?

Bregalad · December 29, 2019, 12:06:57 PM

Quote from: Cyneprepou4uk on December 29, 2019, 10:07:02 AM
Hack the game to disable clearing that unused range maybe?

Of course I tought about that. If you modify the store instruction for a NOP, the game runs but there's graphic glitches in the intro and eventually the game crashes. Apparently the intro really requires at least some area to be cleared.

I could change the end of the cleared area to be sooner. However this would require extra instructions, so call a new routine, and wouldn't be a quick hack. Also the root of the problem would remain non-understood which is usually bad romhacking practice, as this is the open door to various game crashes in a hack.

Cyneprepou4uk · December 29, 2019, 12:21:27 PM

QuoteApparently the intro really requires at least some area to be cleared.

Yeah, you can't just NOP everything you want.

QuoteHowever this would require extra instructions, so call a new routine, and wouldn't be a quick hack.

If you are unable to do this simple task, then I doubt you've got the skill to make any use of those free addresses.

Bregalad · December 29, 2019, 12:51:19 PM

Quote from: Cyneprepou4uk on December 29, 2019, 12:21:27 PM
If you are unable to do this simple task, then I doubt you've got the skill to make any use of those free addresses.

For your information, with the ARM processor, nothing is "simple". In particular not loading an immediate value in the registers.

The processor computes the end-of-RAM adress (0x2040000) in the folowing way :

Code Select


mov R5, #0x81
asl R5, #18

If you are so bright, then you probably have an idea how to "simply" change the end address to 0x2038000 ? the answer is that it's impossible, you have to instert code wich takes more place than the current code. And this is doable but inherently complicated since you need to jump or call your own code somewhere else in ROM.

Also, like I already said I have no idea how many times in the ROM there are routine which clears all RAM, but there's at lest 2 of them, so if there's not understanding of the global picture, chances to miss other routines clearing the RAM are high.

Cyneprepou4uk · December 29, 2019, 01:07:13 PM

No, I agree that you need to make a custom subroutine. So you have answered your own question

QuoteIn all cases I'm puzzled and I dont know how I am supposed to get my extra free RAM I need for my hack.

It is not impossible if you know what current routine does exactly. So what's the big deal, find a free space and write your own code there, then call it.

QuoteAlso, like I already said I have no idea how many times in the ROM there are routine which clears all RAM, but there's at lest 2 of them, so if there's not understanding of the global picture, chances to miss other routines clearing the RAM are high.

When you are done modifying those 2 routines, play the game and find the rest of them (if they exist) the same way you found those 2. Set a write breakpoint or something

Bregalad · December 29, 2019, 03:00:54 PM

Well, sorry for the cross-edit.

I could always go the stealthy way as you say, but if someone understood or reversed the WRAM management system, modifying it properly would be the way to go. You can never assure you play "all" the game. What if there's a special ending I never got and that clears the RAM one more time ?

Cyneprepou4uk · December 29, 2019, 03:24:35 PM

Then just give up and do nothing

Bregalad · December 30, 2019, 08:18:47 AM

OK you motivated me to make more effort about that.

Interestingly enough the WRAM clear routine are the exact same, only the constant pool differs (and as such, they don't clear the exact same range). There is 3 instance of this exact same routine in the ROM

It'll be easy to make them call my own code which clears less RAM, leaving some empty RAM for me to use. However I still wonder how this game manage it's WRAM by curiousity. If anyone knowns or has any idea...

January 03, 2020, 01:33:03 PM - (Auto Merged - Double Posts are not allowed before 7 days.)

Well so I tried this method, modify the WRAM clear routine so that it only until 0x203C000...

This appears to work at first glance, but the game still has various glitches that shows up because 0x203C000-0x203FFFF isn't cleared. For instance, the letters in the name selection screen are not shown. If you try to open some menus, this will freeze the game.

News:

Final Fantasy Tactics Advance WRAM management