News:

11 March 2016 - Forum Rules

Main Menu

Snes Rom Disassembly

Started by jvplouvem, November 05, 2021, 12:13:22 PM

Previous topic - Next topic

jvplouvem

Hi guys, how are you?

I'm trying to decompile a rom using Dispel tool(https://github.com/pelrun/Dispel)

I want to name the labels, but the source code doesn't make me be sure I'm naming at the correct address

Example:

C0/83D7: 78      sei
C0/83D8: D8      cld
C0/83D9: 18      clc
C0/83DA: FB      xce
C0/83DB: C230    rep #$30
C0/83DD: A9FF1F  lda #$1FFF
C0/83E0: 1B      tcs
C0/83E1: A90018  lda #$1800
C0/83E4: 5B      tcd
C0/83E5: F47E7E  pea $7E7E
C0/83E8: AB      plb
C0/83E9: AB      plb
C0/83EA: 225C8187 jsr $87815C ; ---> It jumps to block bellow



Here there is no mention to $87815C address, we only have C7/815C, but byte 815C may be in another bank, for example D9/815C

C7/815C: E220    sep #$20
C7/815E: 8B      phb
C7/815F: A980    lda #$80
C7/8161: 48      pha
C7/8162: AB      plb
C7/8163: A98F    lda #$8F




I know this(code jumps to the line that starts at "sep #$20") because I debugged it on bsnes, but I would like to know how can i identify the jump addresses directly in the decompiled code.

Thanks

Cyneprepou4uk

It's a 24-bit addressing mode, so C7/815C is the only possible location.

In other cases you look for a bankswitch routine nearby. Also usually there are not so many possible locations in several banks if you look at their routine logic. And debugging helps as well.

Vehek

Due to mirroring, different banks can refer to the same address. The disassembler's default assumption for the bank number was just different.

jvplouvem

#3
Quote from: Cyneprepou4uk on November 05, 2021, 01:23:38 PM
It's a 24-bit addressing mode, so C7/815C is the only possible location.

In other cases you look for a bankswitch routine nearby. Also usually there are not so many possible locations in several banks if you look at their routine logic. And debugging helps as well.

"look for a bankswitch routine nearby"

Yes, I thought about that too, but I thought there might be an easier way to confirm.

But that's okay, it's tiring work, but I'll do it little by little

Thank you friend

November 05, 2021, 02:31:47 PM - (Auto Merged - Double Posts are not allowed before 7 days.)

Quote from: Vehek on November 05, 2021, 01:35:22 PM
Due to mirroring, different banks can refer to the same address. The disassembler's default assumption for the bank number was just different.

Well remembered, that mirroring issue matters. Now it get more complicated  :-\

Thank you friend

KingMike

Quote from: Cyneprepou4uk on November 05, 2021, 01:23:38 PM
It's a 24-bit addressing mode, so C7/815C is the only possible location.

In other cases you look for a bankswitch routine nearby. Also usually there are not so many possible locations in several banks if you look at their routine logic. And debugging helps as well.

SNES games don't have bankswitching (unless they are one of a couple games with actual mappers. I think SDD-1 and SPC7110. I hear SA1 supports it but I assume that since no games were released larger than 4MB it was not used in released games?), as long-jumps generally replaced the need for it.
"My watch says 30 chickens" Google, 2018

Cyneprepou4uk

I see. Well, good news for @jvplouvem then. If you see a 16-bit JMP or JSR, then it points somewhere within its bank.

Raeven0

According to DisPel's documentation on github, the author has elected to handle program banks incorrectly:
QuoteFor HiROMs, the SlowROM code begins at bank $40, and the FastROM copy at $C0.
Your game's code apparently runs in banks $80 - $BF, but DisPel is going to disassemble it as though it runs in $C0 - $FF. That means your game code will not precisely match the disassembled output, and you will have to keep memory mirroring in mind whenever you see a long address.

(The precise program bank does matter: consider the difference in the behavior of phk : plb : lda $0000 when K is $80 vs. $C0. Oddly, the author must have been aware of this issue, since immediately before the quoted line he explains the need to run SNES code only in its original bank and not a mirror bank. But he also chose to disassemble opcode $22 as jsr instead of the correct jsl, so who knows what he was thinking.)

Cyneprepou4uk

22 is one of the addressing modes for JSR instruction, so JSR is a correct name. JSL is just an alias.

Raeven0

I pulled out Programming the 65816 to double-check. The authors do indeed introduce Long Jump to Subroutine using the JSR mnemonic -- for a third of a page, then immediately urge JSL as the preferable mnemonic for $22 and use JSL for the remainder of the text. It is a correct name, though, sure (but I advise against it).

KingMike

Quote from: Raeven0 on November 06, 2021, 05:08:16 PM
According to DisPel's documentation on github, the author has elected to handle program banks incorrectly:  Your game's code apparently runs in banks $80 - $BF, but DisPel is going to disassemble it as though it runs in $C0 - $FF. That means your game code will not precisely match the disassembled output, and you will have to keep memory mirroring in mind whenever you see a long address.

(The precise program bank does matter: consider the difference in the behavior of phk : plb : lda $0000 when K is $80 vs. $C0. Oddly, the author must have been aware of this issue, since immediately before the quoted line he explains the need to run SNES code only in its original bank and not a mirror bank. But he also chose to disassemble opcode $22 as jsr instead of the correct jsl, so who knows what he was thinking.)

I want to say the program in question was from like 2000.
I imagine it is probably based on outdated info, I've never seen a game use bank 40+ (although I hear ToP did use it to map in the extended ROM). I have seen HiROM games use bank 80+ though.
"My watch says 30 chickens" Google, 2018

jvplouvem

I had noticed this difference, in some places Dispel decompiled a jsl opcode instead of jsr, but I didn't think it made any difference.

Well, thank you very much for the answers, you guys have a lot of knowledge and share it willingly.

Thank you for real

Anime_World

Quote from: jvplouvem on November 05, 2021, 12:13:22 PM
I'm trying to decompile a rom using Dispel tool(https://github.com/pelrun/Dispel)

I want to name the labels, but the source code doesn't make me be sure I'm naming at the correct address

Try to do this with Mesen-S.  ;)

jvplouvem

Quote from: Anime_World on November 11, 2021, 09:05:04 PM
Try to do this with Mesen-S.  ;)


I tried both(bsnes and Mesen-S), but Mesen-S has a bug, it shows "pea" with "#", for example pea #$7E7E.
For debugging, Mesen-S is really good, but when i want to decompile i prefer bsnes because the reason above.

Thank you friend for your time

Cyneprepou4uk

If only there was a way to replace "pea #$" with "pea $" in a text file. A man can dream thought, a man can dream... >:D

Anime_World

Quote from: jvplouvem on November 12, 2021, 01:57:07 PM

I tried both(bsnes and Mesen-S), but Mesen-S has a bug, it shows "pea" with "#", for example pea #$7E7E.
For debugging, Mesen-S is really good, but when i want to decompile i prefer bsnes because the reason above.

Thank you friend for your time

According to the documentation it is correct with the immediate value "#" before. So it's not a bug.
http://6502.org/tutorials/65c816opcodes.html#6.8.1


Raeven0

Quote from: Anime_World on November 12, 2021, 08:54:10 PMAccording to the documentation it is correct with the immediate value "#" before. So it's not a bug.
http://6502.org/tutorials/65c816opcodes.html#6.8.1
Bruce Clark is a prolific and influential writer, but is not WDC. In Programming the 65816, WDC supposes that PEA has absolute addressing and uses the syntax PEA $1234. (The doc even states that the instruction does not use immediate addressing syntax even if the argument is intended as immediate data.) But assembler authors can support whatever syntax they want, and as Bruce notes, immediate addressing syntax is more consistent with what the instruction actually does.

jvplouvem

Quote from: Raeven0 on November 13, 2021, 01:20:27 PM
Bruce Clark is a prolific and influential writer, but is not WDC. In Programming the 65816, WDC supposes that PEA has absolute addressing and uses the syntax PEA $1234. (The doc even states that the instruction does not use immediate addressing syntax even if the argument is intended as immediate data.) But assembler authors can support whatever syntax they want, and as Bruce notes, immediate addressing syntax is more consistent with what the instruction actually does.

Nice explanation. :)
Thank you for the clarification. :thumbsup: