The Sonic Discovery Resource - Sonic Advance 2

Here, you'll find a little hacking guide (far from being finished yet) for Boycott Advance and Visual Boy Adavnce savestates of the European version of Sonic Advance ROM.

Note : this guide is far from being finished yet, probably some new info will maybe soon revealed, who knows ?

Note (for the Frenchies) : cette section est pour l'instant en Anglais (car la communauté anglaise a l'air de mieux s'intéresser aux bidouillage des jeux ;)). Mais je la traduirai vraisemblablement ;).

As Sonic Advance can be hacked, Sonic Advance 2 can also be hacked the same way. There exists two methods to hack Sonic advance :

the first one consits in a direct editing in a portion of RAM called Internal RAM using Boycott Advance debugger (debugger is not activated by default in Boycoot Advance, you have to edit the BoycottAdvance.ini file, find a section called "## Debugging Features ##########" and finally write "1" on the field "DebugMenuEnable" instead of "0"). It's the one I use, I think it's also the easiest one (because changes are immediately seen on the screen). ~~Note : that feature only exist in Boycott Advance emulator, Visual Boy Advance only has a RAM viewing feature.~~ Last minute : Visual Boy Advance version 1.1 now has an RAM editing possibitiy, wow ! Just go a few sections lower to see how to hack using Visual Boy Advance Debugger !!
the second one consists in editing a savestate (Boycott or Visual) with an hexeditor. But you must decompress it first by renaming the savestate file into a gz file and decompress it with WinZip. Here, you'll be able to hack.

Well, let's explain them in details.

RAM editing with Boycott Advance debugger

If you did the manipulation above correctly, a Debug menu should appear beside the others on Boycott Avance menu bar. Let's take a look at it. But load your game fisrt. Start a normal adventure with any character. Now, open the Debug menu. Go to "Select Memory Address" and select "Internal RAM". Now, go back up and select "Show Memory". A dialog box showing data starting at the offset 03000000 should appear. To hack, simply double-click one line and you'll be able to edit it in real time, yay ! Now, you can go to the Startup data section in this guide to look for the interesting locations to hack ;).

RAM editing with Visual Boy Advance debugger

Make sure first not to be in fullscreen mode. If it isn't the case, go into the 'Video' menu and select 'x1' or 'x2' or etc. but not fullscreen modes. Debug features will not work in fullscreen. Just go into the Tools menu and select the 'Memory viewer' option. A dialog box should appear. You can select '0x03000000 - IRAM' as viewing location, it's even recommended :p ! You can also see a text field on upper right corner with a 'Go !' button. It's the place for typing specific offsets without searching or scrolling during hours. Don't forget also, to tick the 'Automatic update' option at the lower left corner of this dialog box. Data in this memory viewing window will be automatically updated each time game status is different (ex. permanently changing values as time or animations values can be seen updated each time they are modified by the game). This will keep you from jungling between game and debugger window (because joystick is still active when debugger is active, unlike Boycott Advance). And, I forgot the most important : to hack, simply click on a value, you'll see a black cursor that will let you modify the current value where it's pointed on, yay ! Now, you can go to the Startup data section in this guide to look for the interesting locations to hack ;).

Savestate hacking and decompression

Well, for savestates, it becomes a bit tricky as they are compressed in GZ format. Fisrt, you have to take a savestate during an adventure playing with any character. Now, rename the savestate file by adding to the existing extension (.cot to .co9 for Boycott and .sgm for Visual Boy Advance) the ".gz" extension (it becomes for example .cot.gz, .sgm.gz). Now, open it with WinZip and decompress it. Now, you can look at the Startup data section to see what are for the moment the interesting locations to hack ;). And, when you finish hacking, there's no need to recompress it again in GZ format. Just let the file extension with its original name (if you added the gz extension like mentionned below, the decompressed file should then be .cot or .sgm for example) and it will be automatically recognized by the emulator ! (thanks LOst for this info ;)).

Now, it's time to hack..

Startup Data

You'll find here a little table of the things we're currently able to hack for the moment. First column is the offsets in Inernal RAM, the second one the offsets for a decompressed Boycott Advance savestate, the third one the offstes for a decompressed Visual Boy Advance savestate and finally the fourth one the description of the data corresponding to these offsets. OK, let's go :

Internal RAM offset

Boycott Advance offset

Visual Boy Advance offset

Data description

030053F0

Rings in 16-bit format. Takes effects immediately but counter blocked to 999 if higher value.

03005448

Number of lives (takes effect immediately but the counter will stay blocked to 9 even if you have more)

03005450

Score in 32-bit format. Takes effect immediately. But counter displays glitched sprites if value higher than 7FFFFFFF ("FF FF FF 7F" when editing if you are in a one-byte ordering system).

03005490

Timer in 24-bit format. Takes effect immediately. And, if you put "FF FF FF", you'll die of course.

030054CC

Put 01 to enable Time Attack mode. Pause the game and you'll have the traditionnal Time Attack menu !!! (Change Act, Change Character, etc.)

~~Rings in special stage~~ ~~in 16-bit format. "Now it's easy to finish the Special Stage now, with any character" (LOst). [found by LOst]~~

03005A65

Character swapping (!!!) in game. Takes effect immediately!! 00 = Sonic, 01 = Cream, 02 = Tails, 03 = Knuckles and 04 = Amy and upper values just give you Sonic (no, no hidden character :P). Unlike the "status" character seen in SA1, you doesn't need to pass a level to get the modification effective. Actually, the sprite is updated when you make a move or jump with control pad.

030055B4

The current zone you're in. ~~Values go from~~ 00 to 0D ~~where~~ ~~00 is NGHZ act 1~~, ~~01 NGHZ act 2~~ ~~and~~ ~~OD is X-Zone~~. Like on a Genesis, you need to die for the change to be fully effective. Infact, when you change the value, graphics are not glitched at all, you just have some objects that change their aspect (moving plateforms, jumping plateforms/clouds, etc.) and look like the ones you find in the level where you want to go.

Note : Visual Boy Advance offsets have been originally found by LOst (in the Sonic Advance 1 hacking guide). I deduced other values by simple hex calculating.Other thing, about conversions : you must subsract 2FBFE33 to an Internal RAM offset to get the Boycott Advance savestate one (BA offset = IRAM offset - 2FBFE33). And you must substract 2FFFE21 to an Internal RAM offset to get the Visual Boy Advance savestate one. Well, I hope this will help you more in finding new things to hack in this game, whatever the hacking method you use ;).

Menu and option selected data

Mostly, data relative to options selected in menus (like sound in sound test or option in option menu, etc. Here's a table of the interesting locations to hack that I've just found :

Internal RAM offset

Boycott Advance offset

Visual Boy Advance offset

Data description

030041EC

Option selected in main (title) menu. ~~Becomes~~ ~~030028A2~~ ~~if you enter this menu not for the first time (or if you entered other menus first).~~ 00 to 05 ~~are conventionnal values for 'game start', 'options', etc. Other numbers will either crash the game or give you some other ingame menus. OK, here they are :~~

- 0F = Time attack game
- 10 = Time attack records per character
- 1E = Player data viewing
- 21 = Sound test
- 22 = Language select
- 2A = Name entry menu
- 2B ~~= All time attack records for current player~~

03002A32

Option selected in 'Options' menu. 00 to 07 ~~are conventionnal values for 'player data', 'level', 'time up', etc. Others numbers will crash the game or give you the famous 4-bar screen (example : value '~~08~~' will give you that 4-bar thing)~~

0300271C

Sound/music selected in sound test. It seems that SA2 sound test is more advanced than the SA1 one. You can't go higher than the maximal value... I think.

03002FBF

Level selected in level select menu. ~~Becomes~~ ~~030023F9~~ for 'time attack' or if you enter this menu not for the first time (or if you entered other menus first). Let you change the current level selected even if you don't have unlocked this level (it will appear in grey this case). And like for the level switching value, values go from 00 to 0D ~~and Moon Zone is accessible with any character with the same glitches as those I mentionned a bit higher on this page. And, of course, values higher than 0D will give you access to chao hunt zones.~~

0300285C

~~Becomes~~ ~~03002874~~ ~~for 'time attack' or if you enter this menu not for the first time (or if you entered other menus first)~~. Sprite selected in character select menu ~~where~~ 80 ~~is Sonic,~~ B0 ~~is Tails,~~ EC ~~is Knuckles and~~ 28 ~~is Amy. Other values will freeze the game or give you glitched sprites or crap.~~

Savegame or battery relative data

You know, it's that data which is stored in those famous *.sav files generated by GBA emulators. But, hacking directly into these files is not that easy. Worse, you can even loose all your savegame data, just by changing one byte into those files. This is mostly due to built-in integrity checkers stored in thoses files. If you change a value without reporting this change into these intgrity values, all your savegame data (aka completed levels, chao rings, time attack records, etc.) will be lost !!! So, I propose you a rather more friendly method to hack this special data : directly hacking into RAM or savestates ! All that without caring of integrity checkers (because they are automatically rewritten when a change is made into this data in real time). Savegame or battery data start at offset 03005160 in Internal RAM (or 4532D for a decompressed Boycott Advance savestate and 533F for a decompressed Visual Boy Advance one). OK, here's a table of the interesting locations to hack that I've found for the moment :

Internal RAM offset

Boycott Advance offset

Visual Boy Advance offset

Data description

0200266B

Character unlocking, where 01 = Sonic, 02 = Cream, 04 = Tails, 08 = Knuckles and 10 = Amy. On this offset, the total value represents the sum of such or such character value. One character value corresponds to one unlocked character. To get such or such character unlocked, you must add each character value to get the total. To get all characters unlocked, just simply add all the values each other.

0200265F, 02002660, 02002661, 02002662 and 02002663

Respectively, last levels completed by Sonic, Cream, Tails, Knuckles and Amy. (correct values are 01, 02, 04, 07, 08, 0B, 0C, 0F, 10, 13, 14, 17, 1B -- where 01 is Leaf Forest and 1B is Final Zone)

02002664, 02002665, 02002666, 02002667 and 02002668

Emeralds in possession for each character (possible values are 01, 02, 04, 08, 10, 20 and 40). Emerald count works the same way as deblocking characters. The total value is the sum of such or such emerald value. To get all emeralds, just add all the values each other ;) (it gives you 7F in that case).

02002669

Sound Test unlocking (writing 01 instead of 00 at this offset will give you access to Sound Test)

0200266C

Tiny Chao Garden unlocking (writing 01 instead of 00 at this offset will give you access to Tiny Chao Garden).

Unkown for the moment!!!

Ring number in Tiny Chao garden (16-bit format). I think the maximal value we can have is 'FFFF' but I'm not sure.

02002672

Final Zone unlocking (writing 01 instead of 00 at this offset will give you access to Final Zone)

Little remark about modifying savegame data in realtime : to automatically update integrity checking values, you must enter the option menu and get out of it ABSOLUTELY. Or, all your changes will not be effective. I don't know, but when you enter option menu and get out of it, it forces the game to make an integrity checking routine and update, if necessary, integrity checking numbers. [lol, I'm not sure if it also works like this in Sonic Advance 2]

I recall you that this page is under construction, that means that it's far from being finished (aka, I'm sure, lot of things to come soon ;)).

Well, that's all about savestate hacking in Sonic Advance 2 emulation. If you ever have questions, remarks to make or if this document contained mistakes, just don't hesitate : sonic-discovery@fr.st for my e-mail address (the one from the site) and ~~le forum Sonic-Online~~ ~~(for French people - section 'émulation' cette fois)~~ and The SSRG message boards for English people.