News: 11 March 2016 - Forum Rules

Author Topic: Besides brute force, is there any way/technique to dissect a ROM?  (Read 2778 times)

Nightshade_part1

  • Newbie
  • *
  • Posts: 1
    • View Profile
Good evening, People of ROMhacking.

Despite being a programmer, I have never ventured into the world of NES games, so my knowledge on the subject is kind of limited.

Lurking online I found a lot of helpful tutorials about the inner-working of the NES, and what makes it tick. For the most part they have been helpful, and I plan to keep on reading them to educate myself better on the subject.

However, I have not found any suggestion on ways to understand how a Game works, to dissect a ROM apart. Of course, there is always the good old fashion way [ Open hexeditor, go frame by frame, try different things, see changes, make annotations, repeat], but I was wondering if there were more reliable tools and/or strategies to work this out.

Any help would be greatly appreciated.

Yours Faithfully, Nightshade.

Malias

  • Sr. Member
  • ****
  • Posts: 304
    • View Profile
Re: Besides brute force, is there any way/technique to dissect a ROM?
« Reply #1 on: April 24, 2016, 02:12:36 am »
If you haven't already, I'd recommend looking at our Getting Started page.  Beyond that, I'd recommend a good debugging emulator.  For NES, FCEUX is a good choice.  Don't forget to peruse the site's Documents and Utilities sections.
The great achievement is to lose one's reason for no reason, and to let my lady know that if I can do this without cause, what should I do if there were cause?
     ~Don Quixote~

FAST6191

  • Hero Member
  • *****
  • Posts: 3301
    • View Profile
Re: Besides brute force, is there any way/technique to dissect a ROM?
« Reply #2 on: April 24, 2016, 02:44:39 am »
Yeah dozens of things, the docs cover many. I should note though that outside of homebrew programming most old consoles were all included in the binary so no filesystem or executable layout of great note happened. Exceptions for things that were basically computers (amiga and things that came on floppy discs) and things that came on CDs. Even in those exceptions though things are not above being stuck in the binary.

Brute force starts with open in hex or tile editor and press page down a lot, it ends with you corrupting parts of the ROM, running it and then seeing what changed. You can direct your corruption as well so if you see ?? though XX is graphics then no need to corrupt that when looking for text. Many seem to discourage corruption nowadays but I am not inclined to forget it yet.

After this is recursive searching -- run the ROM, see the graphics you want loaded into memory (there is not a lot of it on the NES after all), see the segment you want and search the ROM for that. On later systems I use this to find graphics palettes quite successfully. Altered data (said palettes are fine until they are dynamic), compression, encryption and more will trouble this.

Fingerprinting. A given file format may feature a given sequence. On the GBA the ROM tends to be read using the 08000000 through 08FFFFFF memory range so I see a bunch of 08??????08ZZZZZZ08YYYYYY then I might well have a table/field/map of pointers. Neither are so useful or as readily workable on the NES where many things were custom from the ground up and the mappers using bankswitching mean not everything is visible at all times but still worth having in mind. Compression can also have tell tale signs and so you can search for it, though what limited stuff there is on the NES is often again custom from the ground up rather than provided by the SDK/BIOS like some later systems.

Things like relative search. Not so useful for Japanese text but most custom text encodings follow the Roman alphabet, a relative search tool (I like monkey moore) will then search the ROM for patterns in the phrase you feed it (CAB is one value, a value two lower than that and the final one is one less than the first). For text there are a load more, value distribution (space is probably the most common character and have you ever considered why scrabble is scored the way it is?), ROM alteration (you know some values for text but not all -- you have a hex editor and the means to run/test it...), font scanning (encodings will tend to follow the order of a font) and the list goes on.

Finally we hit the assembly methods. I already mentioned searching the ROM using data plucked from memory, that is probably the weakest method here. The king of all methods is tracing where you find the thing in memory, tell the emulator to stop when it or that area is written to and then you manually work backwards. It is hard and tedious but it will find what you want every time. There are logging features as well. Bonus is the NES features one of the finest debuggers outside of the PC, and even then it could teach IDA a thing or two, http://www.fceux.com/web/help/fceux.html?Debugger.html has more.
There are a bunch of things the debugger can do as well. Logging is also one of those and you can do things like log all branches when playing something, then do the you want to do which you did not do before and then have it tell you what new branch it did. On later systems with those decompression routines that BIOS supports you can log all such calls to the BIOS and as it needs to know what it is decompressing you will have nice ROM addresses for it.

Anyway I appear to find myself rewriting documentation written many times before (and not from memory first thing on a Sunday morning) so I will leave it there.

dougeff

  • Sr. Member
  • ****
  • Posts: 358
    • View Profile
Re: Besides brute force, is there any way/technique to dissect a ROM?
« Reply #3 on: April 25, 2016, 10:05:18 pm »
You could take a look at the Super Mario Bros disassembly. It should give you an idea of how NES games work (it's in the documents section, called smbdis ). But, basically, none of us really understand everything about the other 99.99% of games (except maybe Disch). We have specific things that we're looking for, and know how to change.

Graphics... use a tile editor.
Palettes...open the game in FCEUX, get to the part of the game where that color is on screen. Open 'PPU viewer', write down the hex values of the colors. Do a search in the ROM for those values, etc.
Looking to change a specific tile. Open 'nametable viewer', scroll the mouse over that exact tile...it will tell you its exact PPU memory location. Open 'debugger' set a breakpoint for writes to the PPU at that exact location, reload the game to the point were it loaded the graphics to the screen, when it breaks...examine the code just prior to the write, and see where it got that data from. Edit it. See if it changes.

You can use 'cheats' to freeze or change RAM values. See what happens. Take notes. I wouldn't trial-and-error the entire RAM, but if you had a specific thing you wanted to change, this might be a way to check it.

You could run the code/data logger at specific points (when a level loads) to try to locate specific data.

You could run a trace, while a thing is occuring, and examing which RAM and ROM values were read/written. Try changing them.

Lot's of tools to make it easier. But, you'll never really understand more than like 1% of any game (except maybe PacMan, or some other very small game.
« Last Edit: April 25, 2016, 10:13:11 pm by dougeff »
nesdoug.com -- blog/tutorial on programming for the NES

Dr. Floppy

  • Restricted Access
  • Hero Member
  • *
  • Posts: 970
  • Make America GREAT Again!
    • View Profile
    • BaddestHacks.net
Re: Besides brute force, is there any way/technique to dissect a ROM?
« Reply #4 on: April 26, 2016, 02:13:55 pm »
I'm partial to diagramming everything in MS Paint:

First (far left) column is PrintScreened ROM code from the Debug Window. To the right of that is a literal synopsis of what's happening line-per-line ("Load A-reg with value at $690."), usually in blue. {You can skip a few lines for multiple INX's, LSR's, etc.} To the right of that (we're just past halfway across the screen nao) is a column of condensed explanations of what's happening over the course of several line-clusters ("Check to see if Dragon is biting Hero Elf's ass?"), in either dark blue or maroon. And on the far right, we have the blunt description of what all the navy/maroon stuff means in the context of the overall game ("If $690 is non-zero, Hero Elf's ass is being chewed on.").

I also draw arrows in the extreme left margin to keep track of Branches and Jumps. It's tedious, and I wouldn't recommend it for all projects, but if you really want to immerse yourself in the behind-the-scenes of a game it's incredibly effective.

SunGodPortal

  • Hero Member
  • *****
  • Posts: 2939
  • 2 + 2 = 5
    • View Profile
Re: Besides brute force, is there any way/technique to dissect a ROM?
« Reply #5 on: April 26, 2016, 06:13:03 pm »
Yay! Dr. Floppy!

Sorry. I have nothing to add to the conversation, I'm just glad to see him back. :D
Cigarettes, ice-cream, figurines of the Virgin Mary...

Dr. Floppy

  • Restricted Access
  • Hero Member
  • *
  • Posts: 970
  • Make America GREAT Again!
    • View Profile
    • BaddestHacks.net
Re: Besides brute force, is there any way/technique to dissect a ROM?
« Reply #6 on: April 27, 2016, 03:07:48 am »
Yay! Dr. Floppy!
Sorry. I have nothing to add to the conversation, I'm just glad to see him back. :D

You and me both!!  :beer:  (<-- Yukon Jackā„¢)

It's been a busy couple of months lately, what with me getting a new job, cutting down on the ethanol and starting a new regimen of anabolic steroids.
But rest assured, I'm fully-committed to doing all I can to Make RHDN Great Again! from here on out.  ;)

dougeff

  • Sr. Member
  • ****
  • Posts: 358
    • View Profile
Re: Besides brute force, is there any way/technique to dissect a ROM?
« Reply #7 on: April 27, 2016, 12:44:54 pm »
Have you heard about Donald Trump's latest controversial statement? He says he doesn't like sliced cheese. He even said that if he were President, all cheese should come in large blocks. It's part of his plan to make America grate again.
nesdoug.com -- blog/tutorial on programming for the NES

FAST6191

  • Hero Member
  • *****
  • Posts: 3301
    • View Profile