I'm trying to find the text pointers in the SNES game Marvelous - mou hitotsu no takarajima. The game has an SA-1 chip. The ROM size is 3MB, but the rom info in snes9x reports 32mbit. It is supposedly LoROM, but also uses HiROM addressing. The font tiles and script are uncompressed. I have a pretty complete table, and have dumped the script. Now, I want to find the pointers. I'm not sure if all this information is relevant, but better to have and not need, right?
The first two strings in game start at the following offsets:
Replacing every occurrence of A0A2 with random numbers did not affect the dialogue loading, so I figured the pointers are probably stored as offsets from a base pointer location.
I ran a trace of the first line of dialogue coming out, and I think I hit the nail on the head.http://pastie.org/pastes/2964392/text
To my untrained eye, the following lines seemed important.
$97/EBBB AF 94 7A 40 LDA $407A94[$40:7A94] A:0440 X:0002 Y:0024 D:3000 DB:97 S:1FF1 P:envmXdizc HC:0822 VC:001 FC:14 I:00
$97/EBBF 0A ASL A A:0000 X:0002 Y:0024 D:3000 DB:97 S:1FF1 P:envmXdiZc HC:0878 VC:001 FC:14 I:00
$97/EBC0 AA TAX A:0000 X:0002 Y:0024 D:3000 DB:97 S:1FF1 P:envmXdiZc HC:0900 VC:001 FC:14 I:00
$97/EBC1 BF 95 EB 97 LDA $97EB95,x[$97:EB95] A:0000 X:0000 Y:0024 D:3000 DB:97 S:1FF1 P:envmXdiZc HC:0922 VC:001 FC:14 I:00
$97/EBC5 8D AA 35 STA $35AA [$97:35AA] A:0EA0 X:0000 Y:0024 D:3000 DB:97 S:1FF1 P:envmXdizc HC:0978 VC:001 FC:14 I:00
$9F/BA4F A0 00 00 LDY #$0000 A:7F7F X:0EA0 Y:0001 D:3500 DB:00 S:1FEB P:envmxdizC HC:0820 VC:055 FC:14 I:00
$9F/BA52 BB TYX A:7F7F X:0EA0 Y:0000 D:3500 DB:00 S:1FEB P:envmxdiZC HC:0852 VC:055 FC:14 I:00
$9F/BA53 84 9C STY $9C [$00:359C] A:7F7F X:0000 Y:0000 D:3500 DB:00 S:1FEB P:envmxdiZC HC:0874 VC:055 FC:14 I:00
$9F/BA55 86 9A STX $9A [$00:359A] A:7F7F X:0000 Y:0000 D:3500 DB:00 S:1FEB P:envmxdiZC HC:0910 VC:055 FC:14 I:00
$9F/BA57 B7 04 LDA [$04],y[$E2:A2A0] A:7F7F X:0000 Y:0000 D:3500 DB:00 S:1FEB P:envmxdiZC HC:0964 VC:055 FC:14 I:00
Not that I really know anything about ASM, but it does the following:
Loads $407A94 (which is seemingly 0) into A
ASL (doubles?) it? (which is still 0)
Puts A into X
Loads $97EB95 (apparently 0EA0) + x (which is zero) into A (now A is 0EA0 )
Stores A (0EA0) in $35AA which is (for some reason) $97:35AA
Then it loads $AA (with DP of $3500?, so $00:35AA) into X (X is now 0EA0) (this somehow accesses SA-1 chip? no clue)
Then it loads $40DBE0 (the base pointer location) + X (which is 0EA0, an offset from base pointer) into A ($40:EA80 in BSNES memory editor is A0A2E2, but the accumulator is 16 bit, so just A2A0)
But it somehow overcomes that to get $E2:A2A0 , which is a HiROM address for the PC location $22A2A0, my line of text.
Ignoring the fact Marvelous is LoROM, hey pretty good? Looks like the pointer routine. EXCEPT I can't figure out what $407A94 is pointing to, or $97EB95, or $40DBE0 to be honest. Using BSNES's memory editor, I can see the pointer table starts at $40DBE0 and has a few hundred 24bit pointers. But what does $40DBE0 correspond to? ROM? Cartridge RAM? Using Lunar Address to calculate possible PC offsets for LoROM or HiROM of those locations doesn't yield anything sensible.
The next line of dialogue (PC file offset $22A311, pointer offset 0EA3) follows the same pattern: http://pastie.org/pastes/2964559/text
I know this is a poorly explained text wall, but I am banging my head on a wall. How can I find where the pointers are stored in the ROM?
***** EDIT: ****************
MKendora from the IRC channel gave me the answer. The key was finding $97EB95. The SA-1 has a flippy bit at $2222 that sets how to map addresses in the $80-$9F:8000-FFFF range. So I took $97EB95 and masked it with 0x7FFF which gave me $6B95. Relative jumping through the rom in $8000 increments eventually lands at $2BEB95, which is lo! A00E, and not coincidentally so. The whole pointer offset table is there. This knowledge allows me to change the positions of pointers, but not change the pointers themselves.
To change the actual pointers, I still need to know what $40:EA80 maps to. Any ideas?