[MintyTheCat]

Hello all,

I am doing some hack work on a Megadrive ROM and would like some ideas as to how best to recalculate memory addresses having written extra code and altered the initial addresses for data and instructions.

Cheers,

Minty.

[FAST6191]

I assume this is 68K for the main CPU rather than some Z80 fun for the sound CPU, not that it is terribly different. For most games the megadrive had the cart memory mapped (some games had some bankswitching but enough that you can probably keep a list of those in your head). http://www.romhacking.net/documents/646/ in case you had not read it or another tech manual.

Also some context might help; "altered the initial addresses for data and instructions" is not so clear. Hopefully you do not mean "I put everything in the ROM forward by ?? bytes" because that is a nightmare way to set about a hack.

Do you mean "I wanted a larger text section and to keep it all together I shuffled it to the blank space at the end of the ROM", not always the best move for a production hack it is a method that does work so OK.

Anyway for the most part the redoing of pointers is "is it a known ROM with an editor?" (use that or the code from it), is it a known format (not so common on the megadrive) and if not then you are programming something to handle it, or using tools like atlas and cartographer. It is also acceptable to use a search function in a hex editor if you can for your case -- I was dealing with a text format on the DS a little while back and it ended each section in 0000 which appeared nowhere else in the text section, one search later and 2 minutes in a spreadsheet and I was sorted.

[tryphon]

I don't really understand the question. Could you be more precise ? You wrote extra code or extra data ?

[MintyTheCat]

I find this to be a general solution to be required but I am specifically altering the program for Thunderforce 3.

My first interest to permit me to analyse TF3 executing is to have a player ship that is invincible and as such located the section of code that handle lives, fatal collision-detection and then found the part of the game where the ship is invincible at the very start of a level when the ship is flashing.

I made changes and directly entered corresponding machinecode but of course anything that is larger than the original instruction offsets the rest of the ROM upwards - I do not want this.  As an interim I placed in instructions that were the same size so a 4 Byte was replaced with a 4B or 2 x 2B, etc.

Indeed, 68K.

No extra data - only code changes.

References to program code and data need to be either preserved as I have had to do thus far or recalculated.

Editor is available for level data but that does not serve my purpose - I am altering the program code.

Also some context might help; "altered the initial addresses for data and instructions" is not so clear. Hopefully you do not mean "I put everything in the ROM forward by ?? bytes" because that is a nightmare way to set about a hack.

Do you mean "I wanted a larger text section and to keep it all together I shuffled it to the blank space at the end of the ROM", not always the best move for a production hack it is a method that does work so OK.

No to both.

[tryphon]

The easiest way is to put your extra code at the end of the ROM, then you put a

Code: [Select]

jmp end_of_ROM
where your extra-code should be, and at the end of your extra-code, you put a

Code: [Select]

jmp next_instruction_following_extra_code
There can be problems if you there are branches between your extra_code and the rest of the code, but that's the idea.

It works on all games not using banking (I know Super SF2 and Phantasy Star IV use banking, I don't know others).

[MintyTheCat]

Yes, a jump will be fine and it allows us to instrument the rom.

What remains is then to determine all entry/exit points and to cover them all.

Thanks for the advice, Tryphon.

[tryphon]

You're welcome

I can say IDA is quite helpful for localizing branch-free pieces of code.

[MintyTheCat]

You're welcome

I can say IDA is quite helpful for localizing branch-free pieces of code.

IDA makes reversing a lot easier - even an ancient version is worth having around.

Cheers.

[goldenband]

The Game Genie code RZAT-A6Y0 allegedly gives invincibility in Thunder Force III. I believe that code writes the value $4E75 to ROM address $4196, if I'm not mistaken (I'm using this applet to convert Game Genie codes into ROM addresses and values).

You'll probably also need to input the master code REBT-A6XY, by writing $4E71 to address $374.