And since this is a programming forum, I guess I should say how I did the hack.
- Fired up Night Stalker in jzIntv's debugger.
- Run game and tap disc to get into the main game screen.
- F4 to break out to debugger.
- "m 35D" shows me the address of the EXEC hand controller dispatch. ($51C6)
- "m 51C6" shows me the hand controller dispatch table. Entries are in SDBD order. The second entry ($5B14) is the entry used for the keypad.
- "u 5B14" shows the code for processing keypad events. Running "u" a couple more times shows more code.
- Notice a series of compares and branches: "If 2 goto $5B42; if 4 goto $5B48" etc. Disassembling further sees those code paths converge on code at $5B5A.
The code at $5B5A looks like this:
$5B5A: 0280 0168 MVI $0168,R0
$5B5C: 0008 INCR R0
$5B5D: 0240 0168 MVO R0,$0168
$5B5F: 0004 0114 02D5 JSR R5,$16D5
$5B62: 0004 015C 016B JSR R5,$5D6B
$5B65: 0001 SDBD
$5B66: 02B8 0082 0018 MVII #$1882,R0
$5B69: 0240 0325 MVO R0,$0325
$5B6B: 0280 0160 MVI $0160,R0
$5B6D: 0010 DECR R0
$5B6E: 0240 0160 MVO R0,$0160
$5B70: 02B7 PULR R7
I put a watch on $168 and $160 and run again. I notice that $168 gets set to 1 while a bullet is in the air, and cleared when the bullet is gone. $160 is the number of bullets. Looking at the disassembly, the DECR R0 at $5B6D is what decrements the bullet count.
So, I NOP it out. Et voila! Infinite bullets.
The opcode for NOP is $34. Hence the poke statement above. It pokes $34, the NOP opcode, to lcoation $5B6D, the DECR R0 instruction.