---

Back to Index | Back to Tutorials

---

Speed Hacking Tutorial

This is a slightly updated version of my old speed hacking tutorial. I'd recommend trying SnesAdvance Tools first (if a game can be hacked in the way specified here, they'll probably work).

You can post and request speed hacks in the Fixes & Speed Hacks thread.

TECH NOTE : This is how to find loops which are just waiting for VBLANK. To direct quote technotes.txt, "Unlike the first example [fixing], we don't want to get rid of the loop, but make it end sooner. To advance the emulator to the next event (VBlank, IRQ, whatever) two new instructions were added to SNES Advance. Opcode $42 works like a relative branch. The high nibble of the next byte is the branch type, low nibble is the branch offset (always a negative branch)."

Most loops take the form of:

• lda $4210 (VBLANK)
• ...
• Branch (Loop backwards)

Finding speed hacks is a little bit trickier than finding fixes, but I'll make it as easy as possible.

Step 1) Download the debug version of SNESAdvance here.

Step 2) Download Visualboy Advance here.

Step 3) For this tutorial we'll be using the snes rom Yoshi's Cookie (U), because it's a simple game with a huge, hard-to-miss empty loop that starts well before and continues until VBlank (you don't have to understand that). Acquire this on your own.

Step 4) Run the debug version of snesadv_debug.exe and browse to Yoshi's Cookie (U).smc and add it.

Step 5) Now you have a gba rom named snesadvance.gba (or whatever you saved it as). Open this in Visualboy Advance.

Step 6) Open it in Visualboy Advance go to Tools -> Memory Viewer.

Step 7) Set up the memory viewer window and:

• Select 8-bit.
• Check Automatic Update.
• Type 2030000 in the address box (next to the Go button) and hit Go.

Step 8) You probably noticed the main emulator window is still present, but inactive. Click on it to make it active and start the game. Since Yoshi's Island (U) already runs fine (something you should check for), just hold down R (GBA R, not neccesarily PC R) and navigate yourself ingame. Choose to start and active game and wait until Mario and Yoshi and the cookies appear, and you can move the cursor. It should look like this:

Step 9) Don't move the cursor while we do this step; we want the rom to be doing as little as possible. You may have noticed the memory viewer changing. Now take a look at this value:

This is the current scanline. What you want to do is watch until it gets near F0 (VBlank) but is not F0. The closest you can get is EF, but I usually stop at EA. To advance the scanline at a manageable pace, hold L+R. If you need it to go even slower, hit Alt+3 to start autofire L and then Alt+3 again to stop it. Once you're close, proceed to step 10.

Step 10) Alright, with the scanline just below F0, start hitting L repeatedly and looking for a repetition at 2030020; it's the first four digits in the second column right next to 2030020.. In this case it should be going: D0 FB ->AD D8 -> D0 FB.....etc.

TECH NOTE : (Skip if you don't know ASM): If you know a little ASM, you can look at the code being executed within the loop (in this case AD D8) and see if it does anything important. However, since you're here, you probably don't know ASM, so you'll have to guess and check. If you want to translate the instructions use opcodes.txt. AD D8 translates to LDA D8.
/END NOTE

Remember loops from the fixes tutorial? Well, here's a refresher:

• 10 BPL : Branch if Result Plus
• 30 BMI : Branch if Result Minus
• 50 BVC : Branch on Overflow Clear
• 70 BVS : Branch on Overflow Set
• 80 BRA : Branch Always
• 82 BRL : Branch Always Long
• 90 BCC : Branch on Carry Clear
• B0 BCS : Branch on Carry Set
• D0 BNE : Branch if Not Equal
• F0 BEQ : Branch if Equal

Step 11) Now take a look at the numbers circled in red; that's what's causing the loop. Now, I'm not going to go into any kind of detail about how this loop can be made to terminate early; just use these methods:

If Y has a value of F:

Variable representing each digit (in order) --->	W	X	Y	Z
Loop Op --->	D	0	F	B
New order of variables --->	4	2	W	Z
New Op (Patch value)	4	2	D	B

So as you can (hopefully) see, the new op (or the value of the patch) is 42DB.

NOTE: You can ignore everything in red and still understand this tutorial. However, you may need the red information when hacking other games. If Y has a value other than F (this only works if WX=D0 or if WX=F0): Well now this is a bit trickier (until loopy explained it to me I didn't get it), but there's an easy way to do this too.

• Open Windows Calculator (Start Menu->Run->calc)
• Switch the view to Scientific.
• Set mode to Hex.
• Type in the value of YZ.
  • If WX=D0 then hit the "And" key, then type in 7F, then hit the "=" key.
  • If WX=F0 then hit the "Or" key, then type in 80, then hit the "=" key.

Step 12) Now we need to figure out where this op is in the snes rom, ie the address for the patch. This is very simple. Change the memory viewer to 32-bit, and then type 2030028 in the address bar and hit Go. You should see:

See the number circled in red (683FD)? That's the rom address we need to patch. The formula for the hack is:

[New Op (Value of patch)]=[rom address]

which in this case is : 683FD=42DB

Step 13) Now open snesadvance.dat in notepad. You should see the line :

EF15F4C3|Yoshi's Cookie (U)|0|0|0|0|0|0

Change it to read:

EF15F4C3|Yoshi's Cookie (U)|0|0|0|0|0|0|683FD=42DB

Save and there you go. You've found your first speed hack. Please note that this was an exceptionally easy-to-find hack, and many games are much much much more complicated. Try this on your own with another game. Then check technotes.txt to understand what you're actually doing.

-sephiroth2k

Back to Top | Back to Index | Back to Tutorials