Question about NES ASM - JSR (20) Opcode

Points of Required Attention™

Please chime in on a proposed restructuring of the ROM hacking sections.

04-25-24 03:20 AM

Guest: Register | Login

0 users currently in ROM Hacking | 2 guests | 1 bot

Main - ROM Hacking - Question about NES ASM - JSR (20) Opcode

New thread | New reply

Trax

Posted on 07-29-07 05:44 AM

Link | Quote | ID: 59284

Yellow Stalfos
Level: 71

Posts: 90/1145
EXP: 3035471
Next: 131643

Since: 07-06-07
From: Québec

Last post: 3625 days
Last view: 2877 days

Okay, when I do ASM hacking and disassembly (?), I'm not exactly sure what to do about Opcode 20, which is Jump to Subroutine (JSR), with a 2-bytes operand. Since I don't have access to incredible software like FCEU or such, I can't do any RAM tracing. Chunks of data are often copied from ROM directly to RAM. The question also applies to JMP (4C).

My question is, how do I know where the pointer is actually pointing to?
Here's a real example, with the Zelda II ROM, at 0x5C17:

20 A2 E9

So the reconstituted address is 0xE9A2. Of course, it doesn't necessarily mean I can go to 0xE9A2 in ROM and assume it's what happens in real-time. Sometimes you have to ajust the address according to specific factors, like RAM pages, mappers, etc...

How can I make absolutely sure that I'm moving to the correct address?

Jigglysaint

Posted on 07-29-07 05:58 AM

Link | Quote | ID: 59287

Red Paragoomba
Level: 20

Posts: 11/62
EXP: 38535
Next: 3904

Since: 04-04-07

Last post: 4616 days
Last view: 2353 days

Posted by Trax
Okay, when I do ASM hacking and disassembly (?), I'm not exactly sure what to do about Opcode 20, which is Jump to Subroutine (JSR), with a 2-bytes operand. Since I don't have access to incredible software like FCEU or such, I can't do any RAM tracing. Chunks of data are often copied from ROM directly to RAM. The question also applies to JMP (4C).

My question is, how do I know where the pointer is actually pointing to?
Here's a real example, with the Zelda II ROM, at 0x5C17:

20 A2 E9

So the reconstituted address is 0xE9A2. Of course, it doesn't necessarily mean I can go to 0xE9A2 in ROM and assume it's what happens in real-time. Sometimes you have to ajust the address according to specific factors, like RAM pages, mappers, etc...

How can I make absolutely sure that I'm moving to the correct address?

Well actually, the last 4 pages in ram are always static($C000 to $FFFF), so it always points there. Pointers don't seem to be so much about pointing to data offsets in rom as much as it's in ram. Also, don't forget the 16 byte header to add. So if a trace returns $20 A2E9, the destination address is actually $E9B2 The static banks contain the game's program code that allows all the core data that is used everywhere.

Trax

Posted on 07-29-07 06:20 AM

Link | Quote | ID: 59291

Yellow Stalfos
Level: 71

Posts: 91/1145
EXP: 3035471
Next: 131643

Since: 07-06-07
From: Québec

Last post: 3625 days
Last view: 2877 days

So basically, are there any way I can find out where to go in ROM according to my example?
What is the portion of ROM data that is stored at 0xC000?

Ice Ranger

Posted on 07-29-07 06:30 AM (rev. 2 of 07-29-07 06:31 AM)

Link | Quote | ID: 59295

Newcomer
Level: 8

Posts: 6/8
EXP: 1792
Next: 395

Since: 02-21-07

Last post: 6108 days
Last view: 5540 days

Actually, I think the easiest way to do this is to use some version of FCEUXDSP... I really don't know how people did it before. If you could give me a list of 8 bytes of where you wanted the code to jump, I might be able to help you since I'm picking up my desktop tomorrow. I just hope you put it into a section of the ROM where it can easily be accessed as I don't know how to switch out pages quite yet... just messing with the current page. (and I am sure "pages" is not the correct term; it's probably banks I'm thinking)

Also, I'm assuming this is for Zelda 2. What kind of code are you putting into place or doing a subroutine jump? Is it something already in the game or some new code you have written?

Trax

Posted on 07-29-07 06:38 AM

Link | Quote | ID: 59297

Yellow Stalfos
Level: 71

Posts: 92/1145
EXP: 3035471
Next: 131643

Since: 07-06-07
From: Québec

Last post: 3625 days
Last view: 2877 days

It's something already in the game. I'm only trying to decompile everything and attempt to understand the inner workings of the game from that. From some of what I see, I can deduce what it does (approximately), but it's just too bad I have to stop every time I bump into 20, 4C or 60...

There must be a kind of pattern to determine how a pointer should be converted...

never-obsolete

Posted on 07-29-07 10:23 PM

Link | Quote | ID: 59406

Rat
Level: 24

Posts: 7/96
EXP: 74488
Next: 3637

Since: 02-22-07
From: Phoenix, AZ

Last post: 2595 days
Last view: 2595 days

Well actually, the last 4 pages in ram are always static($C000 to $FFFF)

this is mapper/setup dependent. the mmc1 can also be set up so that $8000-$BFFF is mapped to the 2nd to last 16K prg bank and $C000-$FFFF is programmer mappable, or a 3rd way provides a full 32K switch.

My question is, how do I know where the pointer is actually pointing to?

you could keep track of writes to $E000-$FFFF (where the prg register is mapped) and keep a running tab on what prg-banks are mapped where in your head.

Main - ROM Hacking - Question about NES ASM - JSR (20) Opcode

New thread | New reply

Page rendered in 0.056 seconds. (339KB of memory used)
MySQL - queries: 62, rows: 88/88, time: 0.045 seconds.