PSX Save Hacking / Visualization
3 years ago
United States

Obviously for Ogre Battle this is more useful for seeing how saves are structured and doesn't work for editing things due to the 2 block save system and sanity checks:

You can use more advanced tools like Dex drives and emulation based hacking tools to compare in more detail, but that takes a lot of time.

Edited by the author 3 years ago
NewSchoolBoxer likes this

That is the funniest thing I've seen in a long time but done unironically b​) I have RPG Maker and was wondering just what you were going to do for memory corruption. So 2 block save creates 2 headers and is therefore harder to create a save that will load. Good to know. Thanks for investigating!

What I did without a Dexdrive to play downloaded RPG Maker games (20+ years ago) was convert them to ePSXe format with Adool's save converter. Can play on modern PS1 emulator and examine saves in native PS1 format that way.

On a related note, it takes 72 frames to save an SNES file. I tried with a file right after Warren's Castle and another halfway through with almost full army. One frame buffer before an input is processed and presumably on the end "Saved" notification, so effectively a 70 frame window. Using "" key frame advance on SNES9Xv.1.57, resetting 10-40 frames in always yielded intact save files that loaded but a "NOTHING" deleted save at 5 frames. More research to come.

Edited by the author 3 years ago
Krayzar likes this
United States

I've been taking a look at SNES as well, and I'm pretty sure that the save process is too quick to be useful. If I had to guess, it only takes it a frame to actually save. 5+ frames seems to always result in the same data being written if you take a look at the SRM written in a hex editor. Can't say for sure - a further along game might take longer, but it doesn't look promising if we have to rely on late game saves to do anything.

Perhaps the Nintendo Power version's in game saves are different though.

Here's a tutorial for taking a look at SRM files:

NewSchoolBoxer likes this

LTTP having mirrored saves and save checksums is far beyond the data integrity checks I thought SNES games would have. Doesn't bode well for Ogre Battle!

In my testing, resetting at 5+ frames always results in an intact save. Resetting at 1-4 frames always results in an empty file, with one exception. Saving a file over itself and resetting at 1-4 frames keeps it intact.

Maybe, just maybe, shifting the inventory around and saving the file over itself can duplicate item slots. Really need to examine SRM at frames 1-5 in a hex editor like you're saying for proof of concept.

Krayzar likes this
United States

I played around with my SNES cart today and noticed some behavior that made me think Ogre Battle had a checksum system. The game claimed there wasn't any data at a reset in the first moments of a save, yet if I dumped the cart, there was data saved for that slot.

Tried to see if anyone else had dug into this first and sure enough, Finshore had...

So the bad news is that Ogre Battle SNES is confirmed to have a checksum, but the good news is it's a rather simple one:

https://gamefaqs.gamespot.com/boards/588541-ogre-battle-the-march-of-the-black-queen/52327806

There is no mirroring or other types of obfuscation, so it might actually be manipulatable with a lot of effort.

Given that the leader and most important data is in the beginning, it may be possible half save over a Fireseal save and still have the same checksum. Like I said though, a lot of effort and testing required, and it assumes a frame perfect reset, and perfect RNG out of Warren's Castle to get enough units to make it possible.

We'll see. If it does work, I think I'd like to see it in it's own category though.

Edited by the author 2 years ago