Points of Required Attention™
Please chime in on a proposed restructuring of the ROM hacking sections.
Views: 88,442,306
 Main | FAQ | Uploader | IRC chat | Radio | Memberlist | Active users | Latest posts | Calendar | Stats | Online users | Search 04-20-24 01:47 PM
Guest: Register | Login

0 users currently in ROM Hacking | 2 guests | 1 bot

Main - ROM Hacking - Beginner NES Hacking questions (Bucky O'Hare) New thread | New reply


messiaen
Posted on 11-24-08 11:15 PM Link | Quote | ID: 94843


Cheep-cheep
Level: 32

Posts: 84/193
EXP: 204348
Next: 2094

Since: 05-26-08
From: Porto Alegre, Brazil

Last post: 4437 days
Last view: 4765 days 		Hi!

I'm tinkering with Bucky O'Hare (NES) for a change and I do have a few begginer NES questions.

First, about pointers. Why are they inverted ? Is it some endianness issue (but then, shouldn't the whole ROM have the same byte order) ? How do I make sense of this:

For Bucky O'Hare, each "screen" is composed of 8 x 6 (x,y) tiles, that is 0x30 bytes. Before the level data starts, there is a list of pointer for each screen (it saves a lot data when there are repeated screens for scroll levels).

For the first level, whose tiles begin at 0x8B00 (+10 if you count the header), it goes like this: 0x008B, 0x308B, 0x608B. Basically 0x8B00 + 30. So, it's an absolute offset.

But in a later level, whose tiles begin at 0xCB88, the pointers goes like this: 0x888B, 0xB88B, 0x888B. So, they are all offset by 0x4000 (the size of one PRG bank?).

Is this because of bank-switching, different addressing modes or what? Why aren't pointers from other levels also relative like this one? Also, from this data, is there an quick way to find the code that loads level data? I am learning some 6502 and want to explore the ASM side to locate data more easily.

Also, about headers. It's a pain having to remember all the time to do +10 or -10 for pointers, is there a simple way to strip the header so I can work with a header-less ROM? Just butchering the first 0x10 bytes in the ROM didn't work, so I guess there's a less primitive approach to it.

smkdan
Posted on 11-25-08 06:49 AM Link | Quote | ID: 94879


Ninji
Level: 36

Posts: 155/238
EXP: 288511
Next: 19599

Since: 05-26-07

Last post: 4056 days
Last view: 4006 days 		99% of the time pointers are stored low-high although developers can store them however they want.

The 16kb offset is most likely bankswitching. not sure what mapper it's got, it sounds like it's switching the 16kb bank at $8000-$BFFF (MMC1 comes to mind), or a pair of 8kb banks at the same spot (MMC3) . Breakpoint on level data / pointers will show the code that access it. Just delete the first 16 bytes in a hex editor to get rid of the header, I don't see the issue with that. Ofcourse the header has to be present for the ROM to run in an emulator, it's not like the SNES where the header is meaningless.

MathOnNapkins
Posted on 11-25-08 02:37 PM Link | Quote | ID: 94883


Super Koopa
Level: 62

Posts: 561/842
EXP: 1934602
Next: 50084

Since: 02-19-07
From: durff

Last post: 4482 days
Last view: 4005 days 		Just to clarify, they are stored low high because the NES's 6502 is little endian. That doesn't stop a programmer from storing a pointer as high low, but then they will have to manipulate that pointer (i.e. ptr = (ptr << 8 | ptr >> 8) in order to use it for any jump locations or data accesses. I've seen cases where a programmer has done this in actual roms, and I don't understand why they would want to do it, but it happens pretty rarely so just keep your eyes open.

____________________
Zelda Hacking Forum
hobbies: delectatio morosa

messiaen
Posted on 11-25-08 09:58 PM Link | Quote | ID: 94908


Cheep-cheep
Level: 32

Posts: 85/193
EXP: 204348
Next: 2094

Since: 05-26-08
From: Porto Alegre, Brazil

Last post: 4437 days
Last view: 4765 days 		The problem about setting breakpoints is that I tried searching for these pointers in the NES Memory inside the level, but couldn't find them. Are they read straight from the ROM? If so, how to set a breakpoint on it being acessed? Or am I missing something important here?

The game uses the MMC3 mapper (128k PRG / 128k CHR). I still got to learn a LOT more about it , but I stumbled into some code which is probably the bank swapping routine judging from the documents I've read, so it might help me understand a bit more about it.

By the way, here is a first attempt to map some of the RAM: 


0x20 = Current level:  [If you change it inside a level, enemies from that level will be used, but with glitched graphics]
00 = green planet
01 = red planet
02 = blue planet
03 = yellow planet
04 = cell
05 = salvage chute
06 = center of magma tanker
07 = escape

0x4C = number of lives
0x4D = current pallete

0xD10 = bucky y position (00 = top)
0XD11-D1c: sprites y position
0xD1D-1DF= bucky shots Y position

0xD20 = bucky x position (80 = centered, 0e = leftmost position)
0xD21-D2c = sprites x position
0xD2D-D2F = Bucky shots X position

0xDA0 = Life meter

0xFF5 = music transposition 
0xF20-1000 = misc music variables

smkdan
Posted on 11-26-08 03:25 AM Link | Quote | ID: 94954


Ninji
Level: 36

Posts: 156/238
EXP: 288511
Next: 19599

Since: 05-26-07

Last post: 4056 days
Last view: 4006 days 		what's wrong with setting the breakpoint on the pointer address on swapped in bank? it has to be read from ROM at one point or another.

The NES only has 2kb of RAM (0000-07FF) so in the case that the game is actually accessing those mirrored regions you might want to write it as an address between 0000-07FF (more readable that way).

Main - ROM Hacking - Beginner NES Hacking questions (Bucky O'Hare) New thread | New reply

Acmlmboard 2.1+4δ (2023-01-15)
© 2005-2023 Acmlm, blackhole89, Xkeeper et al.

Page rendered in 0.021 seconds. (341KB of memory used)
MySQL - queries: 57, rows: 82/82, time: 0.016 seconds.