Suikoden 2 - Reverse Engineering and Hacking

If you are stuck in the Dunan Unification Wars; or wish for more details on the gameplay systems, this is the place.
Post Reply
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

Several individuals have come through and worked some incredible reverse engineering and technical wizardry for this game over the years. This has contributed substantially to the overall understanding of the game. I'd like to consolidate some of that knowledge in this thread for future sleuths, and maybe to help organize investigations into some of the remaining mysteries locked away in the game.

There are several pieces of information in particular that I think might already have been done, but haven't been made publicly available:

-The game is split into many files, but their function and purpose is not always clear from the name alone - deciphering what they are will help a bunch.
-The Chinese PC version also has all of the same files re-worked for the different architecture, but may also contain debug symbols that help with its organization.
-Pyriel had some IDA scripts in the past for parsing the files. Finding those scripts again would help.
-There are many instances of technical discussion about data structures, process, algorithms, and more throughout this forum. Digging up those discussions and either re-posting or linking them here would be ideal.

If you come across any of the posts containing reverse engineering or other information while perusing the forum, please just drop it in here so we can get it all started.

My immediate purposes for setting this up are somewhat selfish - I want to get better at working through the files so I can uncover information on encounters, loading zone triggers, and more - but I believe there is a lot of value for the community in gathering this information, too. Re-translation efforts, difficulty/balance mods, and many other types of hacks get a lot easier when the game organization is better understood. We have some really talented individuals who have put a lot of legwork in already, and I'd really like to leverage that effort, knowledge, and experience for furthering game knowledge and community collaboration.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

I'll start with listing out the major directories and my best guess at the contents:

-ARA: Scripts and functions related to specific maps. Pretty much everything to do with populating, manipulating, and rendering a map. Progresses through ARK. Regions are in the next post.

-PLAY: seems to contain information on the various player characters. I don't know what's in these files, but many of the names line up with character names.

-SHOP: files relating to the various types of shop. Most of the shop names are romanized Japanese - I'll do my best to provide limited translation.

Douguya - Tools shop.
Kajiya - blacksmith
Kanteiya - appraisal
Koueki - trade
Kparty - ???
Monsyoya - crest (rune) shop
Partyin - ???
Save - save menu and function
Uwasa - literally rumors. I believe it contains the text for the trade rumors, but may have other info.
Yadoya - Inn

-HONP: seems to be files for the various collections and minigames in your main castle. Again, includes many romanized Japanese names.

-BPRG: The routines governing battle rules and execution. Split up into a number of files; FST is first turn, SEC is second turn (and thereafter). I don't know specifically what the other files do, but AFT (after), BEF (before) are at least hinted. MAK is a mystery.

-BFDA: ???

-UNIT: ???

-MAGI: seems to be files relating to the function for various spells.

-MEFE: another folder for magic. Might contain the animations information.

-BOSS: looks like files for each Boss you encounter and their AI.

-EFFE: a single file EFFECT.bin; I don't know what it does.

-EVBA: Event battles. I don't know what constitutes an event battle vs a regular battle, but they all have nondescript titles. Maybe just instances you can't run away from?

-EVEN: Contains EVEFFECT.bin; possibly additional rules governing event battles?

-FEFE: Field effects. I don't know exactly what this means or does.

-IKKI: Duel data (literally one strike). The letter and number for each idat and iprg correspond to a specific duel sequence in that given region.

A3: Duel with Jowy round 1.
A4: Duel with Jowy round 2.
B2: Flik duel.
D: Amada duel 1.
D2: Amada duel 2.
D3: Luca duel.
J: Han duel.

-BOOT: boot information, probably for setting everything up. Also includes various setup for endings, events, game over, and staff roll.

-GAME: As best as I can tell, these are just lists used in-game for various items. Covers just about everything you could use - dishes, arms, tools, towns, etc.

-WAR: individual files for each of the major war battles. I assume they run in order of encounter, but may not be the case.


All of these files are analogous to some you might encounter in the Chinese PC release, however the PC release might spell them out more explicitly. An individual file in the PC release also contains loads more information than its PS1 counterpart; I think this is because of linking and additional debug information left over in that version.
Last edited by Omnigamer on Sun Aug 19, 2018 11:11 pm, edited 3 times in total.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

The area files had more hints than I thought! Areas and locations are as follows, with some still unknown items:

A - Kyaro, Prison, Garage?, Seq?
B - Ryube, Toto, Ikki?, Sparrow Pass, Rune Dungeon, Merc Fort, Yuuwaku (temptation)
C - Muse, Coronet, White Deer Inn, Kokkyo?
D - Radat, North Window, South Window, Kuskus, Kusu?, Cave of Wind, Rukamor?
E - Greenhill, Forest Village, Sekisyo? (official residence)
F - Banner Pass, Rokkaku, Gregminster
G - Tinto, Outside, Drakemouth, Crom, Tigermouth, Kitadouk?, kitado?
H - Two river, Kobold Village, Lakewest
I - Rockaxe, Highway Village, Mt. Rakutei
J - L'Ren, Highland, Assassination, Battle, LastBoss, Sajah, Peace
K - Castle, Minigames, Cooking
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

Tentative listing of the Bosses by filename:

BOSSES

DOR - Bone Dragon?
DOR_K
GOL - Golem
GOL_K
GOR - Gorudo
GWO1 - Gold Wolf?
GWO2 - Gold Wolf?
HAP_K
HAP1 - Harpy?
HAP2 - Harpy revisit?
IMO1 - worm 1?
IMO2 - worm 2?
IMO3 - moth?
KI1 -
KUL_SID - Seed & Culgan
LAS -
LUC1 - Luca 1
LUC2 - Luca 2
LUC3 - Luca 3
LUS1 - Lucia Solo?
LUS2 - Lucia Greenhill?
LUS3 - Lucia L'Ren?
LUS4
LUS5
NEC1 - Neclord NW
NEC2 - Neclord mines
NEC3 - Neclord cathedral
NIK -
NIK_K
RAT - Pest Rat
RAT_K
RAU1 - Rowd?
RAU2 - Rowd?
RYO -
RYO_K
SEI - SDS?
SIE1 - Sierra?
User avatar
Pyriel
Webmaster
Posts: 1227
Joined: Wed Aug 18, 2004 1:20 pm

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Pyriel »

http://www.suikosource.com/phpBB3/viewt ... 68#p151705

The index values for locations in this post correspond to the Area files. Area A is 0, through 9 for Area K. Every time I've used it to identify which file corresponds to the area I'm in, it's worked. Although, there is some possibility that it will be inaccurate when used that way, since the indexes correspond to LBA listings stored in the executables, and those need not be ordered by filename.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

Perfect! That saves me a lot of trouble over the other way I was thinking of cataloging that data... The addresses give me something to watch for during my next testing playthrough, too.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

Small update with regard to the Chinese PC version. As previously noted, some of the files were built with debug symbols left in, most notably GSDMain. While GSDMain does a loooot of things, looking through the other files shows a number of strings set aside for debug purposes, some of which even try to call PSX_Printf from the psxlib. I think that particular call has been neutered, but finding some way to grab that input could be quite helpful for testing, if not just an interesting experiment. There's also a function call in psxlib for IsDebug, which simply checks a byte in memory to determine if debug mode is enabled. It is still called somewhat frequently too, so it's possibly worth forcing it on and seeing what happens/breaks. I'll give it a try next time I have solid working time at home, which should be in about a week.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

I finally got back to working on some of this, and actually have something to show for it!

Following a review of what Pyriel discussed about the Area structures, I made a program that extracts all of the encounter sets for a given region. No big surprises, but it confirmed something I had been wondering about for a while: relative encounter rates for distinct formations. They took a simple approach in that encounters meant to occur more often are just placed on the list multiple times. For example, in the Matilda Forest there are 11 total formations, 3 of which are DoremiElfs. This gives them an effective encounter rate of 3/11 = 27.27%. This matches up with some empirical testing.

In any case, I've uploaded the output for the different regions, as well as the program I used to make them. You may have to cross-reference the file code with the list in locations.txt to figure out what goes where. The program is hardcoded and not commented/cleaned right now, but I'll fix it up for general consumption before too long.

This was something of the warm-up for understanding their data structure style. My next goal is to start deciphering their area scripts, with the goal of locating/understanding how they handle loading zone checking. Knowing exactly where and how the zones operate could lead to some crucial new skips or otherwise, so it will be pretty valuable.
User avatar
Pyriel
Webmaster
Posts: 1227
Joined: Wed Aug 18, 2004 1:20 pm

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Pyriel »

https://github.com/pyriell/gs2-bugfixes ... /reference

Most of the script commands that I've deciphered are in the obviously-named document there. This is the active/scenario scripting that generally blocks everything else. There's another handler that I haven't really got a document for, but the most basic commands are 1 and 2, which check X and Y ranges for event/trigger scripts. There's a bit of discussion on them in the New Game+ thread, along with how areas are loaded and jumped into.

It's probably worth noting that the X/Y they concern themselves with is essentially a tile coordinate system, but movement isn't necessarily restrained by that. There's a finer value stored elsewhere in memory, and if I recall correctly, the tile coordinates are calculated from it constantly. So the skip you use in Greenhill, walking around a trigger zone to avoid a cut scene, is probably due to the way they round the calculation.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

Is there any way to statically determine the loading address for most of the modules? I've relied on the starting addresses you've posted here and there, and the pointer to the info structure as the first word makes sense, but I can't identify a way to determine where a given module will wind up in memory. I can see some ways to do it dynamically, but if there's something simple I'm missing with their layout that would be much easier.
User avatar
Pyriel
Webmaster
Posts: 1227
Joined: Wed Aug 18, 2004 1:20 pm

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Pyriel »

As far as I know, their modules don't do much in the way of metadata, like loading addresses or data sizes. I always have to come up with little heuristics, like "FirstWord > 0x8015DC50 then LoadAt 0x8015DC50 else 0x8010DC50." There's a switch parameter in one of the script commands that designates the loading location, which should really be redundant, given that there's no way to load an area module to any other location, but that's the direction they went with.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

I think I'm finally starting to get a handle on working through the scripts. Did you have a reference for the background script commands similar to the active ones currently listed in your github? The main ones I care about I already know (character position) but I'm curious if some of these scripts might have some hidden/useful nuggets to them. With any luck I'll be able to make a parser that can extract the scripts and turn them into something human-readable.
User avatar
Pyriel
Webmaster
Posts: 1227
Joined: Wed Aug 18, 2004 1:20 pm

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Pyriel »

No, unfortunately I never got around to documenting it. If I recall correctly, the handler only contained about 40 different commands, and I never ran across one that was involved directly with a bug. So I mainly worked out scripts I was interested in, for whatever reason, and left everything in disassembly comments.
Omnigamer
Posts: 324
Joined: Wed Feb 13, 2013 11:48 am

Re: Suikoden 2 - Reverse Engineering and Hacking

Post by Omnigamer »

OK, no worries then. I can work out a lot of them by inference if need be, but the main thing is noting how many operands each command expects so I can make an efficient "script walker" program. I have a naive version that just examines every byte looking for 0x01, 0x02, and 0x09 and assumes them to be the commands I'm looking for, but I'm gradually documenting different commands as I come across them.
Post Reply