A Technical Look at Old Video Games

the code behind the game


May 27

Reverse Bottle Adventure (RBA) Continued

Make sure to read the Introduction first! You’ll need that in order to understand this.

RBA can be used to duplicate bottles. Here’s an example process how. Let’s say you have Bugs on B and the Ocarina of Time on C-Right. You drop the Bugs so now the game overwrites your Bugs on B with Empty Bottle (0x14). It then adds 0x03 to the address and reads the Item Value of the Ocarina of Time (0x08) and uses this as the offset for the Inventory Screen. Take a look at the Inventory Screen once again:

Remember, counting starts at 0. Slot 8 is the Bombchu slot. Therefore, the Bombchus will be overwritten with an Empty Bottle. Using this method, you can theoretically overwrite all items except the Fire Arrows with a Bottle. Why not the Fire Arrows? Fire Arrows are unequippable to C-Right and as such there is no possible item on C-Right you can equip in order to overwrite the item. If you equip Fire Arrows to C-Right through tool-assisted means, however, you can get a Bottle.

Now, let’s talk about the cool things RBA can do, because duplicating Empty Bottles isn’t the most intriguing thing achievable. Take a look at this memory listing:

  • $11A644 - $11A65B Inventory Item Screen Items
  • $11A65C - $11A66B Inventory Item Amounts (example: how many Deku Sticks do you have?)
  • $11A66C Compressed Byte: Tunics and Boots
  • $11A66D Compressed Byte: Swords and Shields
  • $11A66E - $11A670 UNUSED BYTES
  • $11A671 - $11A673 Compressed Bits: Left-Side Equipment
  • $11A674 Quest Screen: Heart Pieces
  • $11A675 Quest Screen: Songs and Stones
  • $11A676 Quest Screen: Songs
  • $11A677 Quest Screen: Medallions and Songs
  • $11A678 - $11A682 Dungeon Items (Map, Compass, Keys)

Wow, that seems like a lot! And it is! But hey, you can access those bytes in memory and can modify them using RBA! For example, let’s say you have Milk (0x1A = 26) on B. Drinking it doesn’t cause an Empty Bottle (0x14 = 20) to occur but rather Half-Milk (0x1F = 31) will be written ONLY if the game determines there was Milk already present. More specifically, if the memory RBA is trying to access contains the value of Milk (0x1A = 26) it will overwrite it with the value of Half-Milk (0x1F = 31) even if the memory in question isn’t associated with items.

Let’s take a look at $11A66D. This byte dictates what Swords and Shields you have, exactly as below:

  • xxxx_xxx1 Kokiri Sword
  • xxxx_xx1x Master Sword
  • xxxx_01xx Biggoron Sword/Giant’s Knife (same item, flag elsewhere controls which is which)
  • xxxx_11xx Broken Giant’s Knife
  • xxxx_10xx “Broken” Icon
  • xxx1_xxxx Deku Shield
  • xx1x_xxxx Hylian Shield
  • x1xx_xxxx Mirror Shield

In order to access $11A66D, the Zora Mask (0x29) must be equipped on C-Right. If the value if equal to that of Milk, 0x1A, performing RBA will overwrite the value with 0x1F. In bits, 0x1A is 0001_1010. So, if you ONLY have the Deku Shield, the “Broken” Sword Icon, and the Master Sword (need to delete your Kokiri Sword with a different RBA), then performing Half-Milk RBA with the Zora Mask on C-Right will give you the Kokiri Sword and the Biggoron’s Sword.

One last trick before I stop. In order to access $11A677, the byte that determines which Medallions you have, you must perform RBA with the Poacher’s Saw (0x32) on C-Right. If you write back the value 31 using Half-Milk, the game will give you the following below, in bold:

  • xxxx_xxx1 Forest Medallion
  • xxxx_xx1x Fire Medallion
  • xxxx_x1xx Water Medallion
  • xxxx_1xxx Spirit Medallion
  • xxx1_xxxx Shadow Medallion
  • xx1x_xxxx Light Medallion
  • x1xx_xxxx Minuet of Forest
  • 1xxx_xxxx Bolero of Fire

Doing this deletes the Light Medallion and makes it unobtainable for the rest of the game. However, the game only checks if you have the Spirit Medallion and the Shadow Medallion. If you have both of those, which you will have after this particular RBA, then you can get Light Arrows, the item you need in order to open the path to the final dungeon of the game.

If you want more information, read the RBA article on Zelda Speed Runs.

Until next time!


Reverse Bottle Adventure (RBA) Introduction

It’s been a while.

Today I’m going to explain one of the craziest glitches in the entirety of Ocarina of Time: Reverse Bottle Adventure! This glitch is huge and can be exploited to duplicate bottles, overwrite sections of memory, confuse the game into giving you ocarina songs and medallions, and more!

This post is going to be a lot more technical in nature than the other posts have been. This is because RBA is a glitch that can’t be understood without looking at the game at the byte-level.

A lot of this information was aggregated from Zelda Speed Runs. Thanks for being awesome!

The game has seven bytes which are used to determine which items you have currently equipped. These bytes begin at $11A638 and are as follows:

  • $11A638 - Current B Button Item
  • $11A639 - Current C-Left Item
  • $11A63A - Current C-Down Item
  • $11A63B - Current C-Right Item
  • $11A63C - Current C-Left Item Inventory Screen Offset
  • $11A63D - Current C-Down Item Inventory Screen Offset
  • $11A63E - Current C-Right Item Inventory Screen Offset

The first four bytes will contain the hexadecimal Item Value of the item equipped. For example, the Master Sword’s Item Value is 0x3C, so the value stored at $11A638 when you have the Master Sword equipped is 0x3C. The Inventory Screen Offset bytes seem a bit confusing, but they simply say which location in the Inventory Screen (seen when pausing) your item belongs to. This is useful because many items can be mapped to the same position in the Inventory Screen. For example, the Fairy Ocarina and the Ocarina of Time are mapped to the same location. All the Bottle Items are mapped to the same location as well.

Counting for the screen starts at the top left, the Deku Sticks, with position 0. It goes left-to-right, up-to-down. Given that, the Ocarina Inventory Screen Offset is 7, and the first Bottle Inventory Screen Offset is 18. So, if your C-Right item is the Ocarina of Time, the value at $11A63B (C-Right Item Value) is 0x08 and the value three bytes later at $11A63E (C-Right Inventory Screen Offset) is 7.

Normally the Inventory Screen Offsets are only to highlight which items are equipped, as seen in the image above. However, they work a bit differently when the Bottle is used. This is because the game must update the Bottle with an Empty Bottle. Here is the exact process that occurs. Assume that there are Bugs equipped on C-Right:

  • C-Right is pressed. ptr = $11A63B (address of C-Right Item Value)
  • It contains a bottle! Replace the Item Value that the pointer is pointing to with that of an Empty Bottle, 0x14. NOTE: This process is different if you are using Milk because you end up with Half-Milk, not an Empty Bottle.
  • Add 0x03 to the ptr in order to now point to the C-Right Inventory Screen Offset. ptr = $11A63B + 0x03 = $11A63E (address of C-Right inventory Screen Offset)
  • Read the value of the offset and add it to the starting address for the Inventory Screen ($11A644) ptr = $11A644 + *($11A63E) In this case, the offset value is 18, so ptr = $11A656
  • Overwrite the value pointed to with an Empty Bottle, 0x14.

Okay, so that’s the introduction. Seems complicated, right? Well, it’s gonna get crazy now. There is a glitch you can do called Bottle on B which allows you to equip a Bottle to the B button. The same process described above occurs, but there’s an interesting caveat.

The way the game finds the Offset Value is by adding 0x03 to the button pressed that contains the bottle. If it’s on B, however, adding 0x03 gives you the C-Right Item Value, not the C-Right Inventory Screen Offset. Because of this, the Item Value is mistakenly used as the offset. Since there are more items in the game than there are spaces in the Inventory Screen, you can actually overwrite memory outside of where you are supposed to. As it turns out, you can overwrite memory that dictates what quest items you have using this method. You can get the game to give you Stones, Medallions, Ocarina Songs, and more.

There is a lot more to talk about regarding this glitch, so I’m going to make a second post that goes into more detail. Thanks for reading!


Mar 29

Missed me? It’s time for yet another Zelda-hacking tutorial! This time we’re going to change Link’s tunic colors in the first Legend of Zelda game. It’s a very simple thing to do, so pull out your hex editors (XVI32 recommended), your ROM of the game, and let’s get to it!

First, let’s discuss NES colors. The top color shows every color possible on the NES. As you can see, it’s not so good. How do these numbers work? Well, it’s simple. The left column is the rightmost nibble (0 to 3) and the second column is the leftmost nibble (0 to F). When put together, you get a color.

For example, Link’s default tunic color is 0x29, the lime green shade you see in the table. His blue tunic default is 0x32 and his red tunic is 0x16. For the Ninja Link seen above, I decided to choose one of the many blacks, in this case 0x0D, for his default tunic color.

So now that you know how NES colors work, it’s time to get hacking! Open up the game in your hex editor. You may have used Data Crystal for information regarding the game, but Data Crystal’s information on the tunics is incorrect. Data Crystal says that the three bytes corresponding to tunic colors (green, blue, red) start at $A287. This is incorrect. The tunic colors start at $A297.

You should see [29 32 16] at $A297. These are the colors you want to change. In my case, I replaced 0x29 with 0x0D for Ninja Link. There’s some other cool things you can do with the NES Zelda, but that’s all the time we have for now, folks.

Happy hacking!


Jan 11

It’s time for an explanation of how the infamous Old Man glitch in Gen I of Pokemon works!

In case you don’t know, the Old Man glitch works like this: You talk to the Old Man in Virdian City and ask him to show you how to catch a pokemon. You have a little cutscene of the Old Man catching a weedle. Then you fly to Cinnabar Island and surf up and down the eastern strip of the island. You will be able to encounter a rather surprising cast of pokemon, including MISSINGNO.

So why does this happen?

The short answer:

A serious programming oversight.

The long answer:

The game stores all the pokemon pointers in an 8-bit array. This means that the array can store a total of 256 different pokemon. However, in Gen I, there are only 151 pokemon! If you look at the image above, the green tiles indicate one of these 151 pokemon. The game was originally meant to have 190 pokemon however. As such, there are 39 spaces that are formatted to have MISSINGNO in them. These are represented by blue squares. Everything else is a glitch pokemon or an error and is a red square in the graphic.

Interesting side note: the 0th element of the array has no pokemon data. Looks like the programmers didn’t want to deal with 0 being the first number.

When the Old Man cutscene occurs, the game passes your character’s name into a register to save it. It just so happens that the register it uses to temporarily store your name is the same register that (normally) contains information on an area’s wild pokemon encounters. When the cutscene is over, your name is restored, but it is also kept within this register. This (normally) causes no problems because the game overwrites that register with new information every time a new area is encountered.

However, there is no wild pokemon data for towns, so that register isn’t overwritten. So when you fly to Cinnabar, your name is still in the register! There is a programming error though in that the eastern strip of land on Cinnabar, despite being water, is marked as grass! And there’s no pokemon data set for Cinnabar!

Normally this means that a previous area’s wild pokemon data will still be present. This actually is a nifty little trick if you’re trying to catch Safari Zone pokemon, but in this game, the pokemon loaded are based off of your character’s name!

The 3rd, 5th, and 7th slots determine the pokemon you will encounter. The game does not use a standard ASCII encoding, unfortunately. Instead, it starts with ‘A’ on 128, which is normally reserved for extended ASCII. Some of the interesting encounters are caused by having these as letters:

  • D - Mewtwo
  • Z - Bulbasaur
  • q - Charmander
  • r - Squirtle
  • PK - Rival Blue (Glitch Trainer)
  • MN - Pokemon Prof (Glitch Trainer)

I say interesting because it means you can get every starter if your name is set accordingly! Unfortunately, you cannot obtain Mew this way, since Mew’s index number in the game doesn’t match up with any of the characters you can input for a name. The 2nd, 4th, and 6th slots for your name determine the levels of the pokemon you encounter. Here are some examples:

  • A - Level 128
  • a - Level 160

Very interestingly, you can encounter glitch trainers too, including Professor Oak! That’s right, Professor Oak was originally going to be a trainer you could fight in the game, and his party is totally killer. Unfortunately, this particular glitch doesn’t load the proper team. You’ll have to use the Ditto Glitch to get the true experience of battling Professor Oak. Still, for the sake of completeness, here is his actual party:

  • Tauros, level 66
  • Exeggutor, level 67
  • Arcanine, level 68
  • Venusaur/Charizard/Blastoise, level 69
  • Gyarados, level 70

Final note: In Gen II, almost all the elements in the array of 256 were used for pokemon because of the addition of 100 new pokemon. This means in Gen II, there are 5 unused spaces. Also, three of the MISSINGNO spaces in Gen I actually hold data for the fossils and for the ghost.

For more information on the Old Man glitch, you can read here.

For the list of pokemon by index number, you can read here.


Jan 8

This one isn’t nearly as much fun to do and it is not an easy task at all.

The final bytes in the ROM loop through every possible hexadecimal number from 0x00 to 0xFF. This starts at $1f7c67c with 0x80 and continues incrementing until the end of the ROM, the final address being $1ffffff That’s a huge chunk of memory available free to you to do whatever you want. As far as I’m aware, the data here is completely unused.

Now the issue is how to get a character to access extra dialogue. Unfortunately, there seems to be no easy way to jump to a line using control codes apart from [07 xx xx] where (xx xx) refers to a line ID. For example, [07 00 24] takes you to a line indicating how many skulltulas you killed. That isn’t quite enough to do what you want.

In the European Master Quest Debug ROM, the English dialogue begins at $8c6000 The file itself is called nes_message_data_static. In US v1.2 of the game, the most common version of Ocarina of Time, this file begins at $90bac0, as far as I can see. I think it’s possible to modify this file and recompile the game yourself, but that’s a very difficult task to accomplish.


Jan 6

Great question!

I no longer have the hardware with me, but every LED in the Wii sensor bar outputs infrared radiation. The Wiimote is what’s detecting everything. This is why it’s important to tell the Wii itself whether or not the sensor bar is atop or below the television. Such knowledge is necessary in this instance for 3D position detection.


Jan 4

mojomomo:

this is why I shouldn’t be allowed to hack games

Some technical notes on how to do this:

Ocarina of Time uses its own control code format atop of a slightly modified ASCII encoding. The non-character ASCII codes 0x00 - 0x1f are unique control codes while the character ASCII codes 0x20 - 0x7e are the exact same. This is fantastic because it makes searching the ROM for particular lines of dialogue incredibly simple. Ocarina of Time has a non-standard extended ASCII that ranges from 0x7f - 0x9e. The ranges 0x9f - 0xab are used to display button icons like the A or B button in the text range.

The entire edited line, with controls codes shown in square brackets, is below:

[1a]His palms are sweaty, knees weak,[01]arms [05 41]spaghetti[05 40].[04]

The control codes used above, as well as some others, are as follows:

  • [00] is empty padding
  • [01] marks a new line in the text and can be thought of as ‘\n’
  • [02] marks the end of a line and can be thought of as ‘\0’
  • [03] isn’t really used
  • [04] indicates that the player must press a button to continue
  • [05 xx] changes the color of the text
  • [1a] indicates that the dialogue cannot be skipped

In regards to [05 xx], the legal values for xx are as follows:

  • 40 white
  • 41 red
  • 42 green
  • 43 blue
  • 44 cyan
  • 45 magenta
  • 46 yellow
  • 47 black

All in all, Ocarina of Time is pretty easy to text hack so long as you have a decent hex editor. As always, I recommend XVI32 for all your hex-editing needs. Happy hacking!


Oct 15
I recently had the pleasure of breaking open a Wii Sensor Bar. Turns out it’s very simple: 10 total LEDs and 2 total resistors; 5 LEDs and 1 resistor on the left and right sides. The resistor, shown in the image, is 34 ohms with a tolerance of 1%. According to the circuit board, maximum voltage is 94V with ground being set to 0V.
For something as sophisticated as the Wii Sensor Bar, its build is refreshingly simple.

I recently had the pleasure of breaking open a Wii Sensor Bar. Turns out it’s very simple: 10 total LEDs and 2 total resistors; 5 LEDs and 1 resistor on the left and right sides. The resistor, shown in the image, is 34 ohms with a tolerance of 1%. According to the circuit board, maximum voltage is 94V with ground being set to 0V.

For something as sophisticated as the Wii Sensor Bar, its build is refreshingly simple.


Aug 19

All NES games begin with the same four bytes. The first three bytes, when translated from ASCII, spell out “NES” The fourth byte is always 1A.


Aug 15
  • Top left: Ocarina of Time: Master Quest 64MB Debug ROM
  • Bottom left: Ocarina of Time: USA v1.2 32MB ROM
  • Right: Tunic colors from v1.2 ROM

These are the exact colors of the three tunics as they appear in Ocarina of Time. In the Debug ROM, all values are stored as RGB starting at $B9D1A8. The first three bytes are for the Kokiri Tunic, the next three bytes are for the Goron Tunic, and the final three bytes are for the Zora Tunic. In total, this is 9 bytes.

The final ROM of the game is a little bit different. First, the values are stored at $AED808. Second, it is compressed to 7 bytes thanks to removing the bytes that were 0x00. Third, some of the colors are slightly different between these two versions of the game. For reference:

DEBUG ROM

  • $B9D1A8 - Green Tunic (default 1E 69 1B)
  • $B9D1AB - Red Tunic (default 64 14 00)
  • $B9D1AE - Blue Tunic (default 00 3C 64)

USA v1.2

  • $AED808 - Green Tunic (default 1E 69 1B RGB)
  • $AED80B - Red Tunic (default 64 14 RG)
  • $AED80D - Blue Tunic (default 65 3C GB)

If you wished to change your tunic’s default color, all you have to do is use go to the memory addresses in your hex editor and modify the values. For example, here is Link with a white tunic in the USA v1.2 ROM: