Jump to content
42bs

New 6502 (and successors) disassembler

Recommended Posts

Nice!

 

I have actually also been a bit creative lately in the disassembler field. Currently I can disasseble a cart image back to a source tree with proper Makefiles and config files. I am using the disassembler in the cc65 suite. Running "make" produces a cart image that is identical to the source. It also creates pcx images out of all sprites it finds. The sources use proper register names and defines which makes browsing through the carts quite interesting. For compressed files I still need to find a proper unzipper.

 

The new driving episode in "Shaken, not stirred" was heavily inspired by my disassembly session of RoadRiot.

 

The starting point in doing this was the wonderful sounds in Shadow of the beast. I cannot understand how to get certain great sounds out of Lynx hardware so I built a little tool for helping me look at how other programmers are dealing with sound.

Edited by karri
  • Like 2

Share this post


Link to post
Share on other sites

I have actually also been a bit creative lately in the disassembler field. Currently I can disasseble a cart image back to a source tree with proper Makefiles and config files. I am using the disassembler in the cc65 suite. Running "make" produces a cart image that is identical to the source. It also creates pcx images out of all sprites it finds. The sources use proper register names and defines which makes browsing through the carts quite interesting. For compressed files I still need to find a proper unzipper.

 

The new driving episode in "Shaken, not stirred" was heavily inspired by my disassembly session of RoadRiot.

 

The starting point in doing this was the wonderful sounds in Shadow of the beast. I cannot understand how to get certain great sounds out of Lynx hardware so I built a little tool for helping me look at how other programmers are dealing with sound.

 

That sounds exciting! Did you find out some of the sounds they used? Shadow of the beast has some great music, especially level 1 / "overworld theme". Robotron's wonderful arcadey sound effects also come to mind. I wish I'd understand finding sounds for the Lynx better. I guess it's at least relatively easy to experiment on chipper.

 

I thought it was funny in the chips challenge interview episode of the handycast when "LX Rudis" said that they tried to get rid of him several times, but no one of the new guys could be bothered with understanding how the sound generation on the Lynx works, and that he also sometimes used to get frustrated and just start guessing sounds! :grin:

Edited by Turbo Laser Lynx

Share this post


Link to post
Share on other sites

Karri, a sprite to pcx tool sounds great. I have some sprites where I do not have the original image anymore (like King Tut ;( )

Share this post


Link to post
Share on other sites

I have everything in a single Python file. I can PM it to you with an example of use.

 

You need to run the tool many times and edit some conf files manually between runs.

 

Example file001.info:

GLOBAL {
    OUTPUTNAME  "titlesprite.s";
    INPUTNAME   "file001";
    STARTADDR   $2400;
    PAGELENGTH  0;
    CPU         "65sc02";
};


RANGE { START $2400; END $241F; TYPE ByteTable; };
RANGE { START $2420; END $2422; TYPE ByteTable; };
RANGE { START $2423; END $2426; TYPE AddrTable; };
RANGE { START $2427; END $243A; TYPE ByteTable; };
RANGE { START $243B; END $4000; TYPE ByteTable; };


LABEL { NAME "titlepal"; ADDR $2400; };
LABEL { NAME "spr001_1"; ADDR $2420; };

In order to create original images you need to define where the sprite call starts. This is needed in order to find the right quadrants and bits per pixel.

 

This will then produce a source file looking like this:

 

        .setcpu "65SC02"


; ----------------------------------------------------------------------------
L0000           := $0000
; ----------------------------------------------------------------------------
titlepal:
        .byte   $01,$0C,$0A,$08,$06,$05,$04,$03 ; 2400 01 0C 0A 08 06 05 04 03
        .byte   $00,$03,$02,$01,$00,$03,$02,$00 ; 2408 00 03 02 01 00 03 02 00
        .byte   $04,$CC,$BA,$98,$76,$65,$53,$42 ; 2410 04 CC BA 98 76 65 53 42
        .byte   $03,$38,$27,$15,$04,$16,$05,$00 ; 2418 03 38 27 15 04 16 05 00
spr001_1:
        .byte   $C1,$30,$00                     ; 2420 C1 30 00
; ----------------------------------------------------------------------------
        .addr   L0000                           ; 2423 00 00
        .addr   L243B                           ; 2425 3B 24
; ----------------------------------------------------------------------------
        .byte   $00,$00,$00,$00,$00,$01,$00,$01 ; 2427 00 00 00 00 00 01 00 01
        .byte   $00,$00,$00,$00,$01,$23,$45,$67 ; 242F 00 00 00 00 01 23 45 67
        .byte   $9A,$BC,$F0,$00                 ; 2437 9A BC F0 00
L243B:  .byte   $0D,$7D,$BE,$DF,$6F,$B7,$DB,$ED ; 243B 0D 7D BE DF 6F B7 DB ED
        .byte   $F6,$FB,$7D,$BE,$C0,$0D,$7D,$BE ; 2443 F6 FB 7D BE C0 0D 7D BE
        .byte   $DF,$6F,$B7,$DB,$ED,$F6,$FB,$7D ; 244B DF 6F B7 DB ED F6 FB 7D

post-2099-0-42874000-1538567436.png

Edited by karri

Share this post


Link to post
Share on other sites

I have everything in a single Python file. I can PM it to you with an example of use.

 

You need to run the tool many times and edit some conf files manually between runs.

 

 

Yes, please. I'll give it a try.

Share this post


Link to post
Share on other sites

Thanks for these links, 42bs. It seems to be exactly what I need.

 

Oddly, my Lynx can't run Zarlor Mercenary, either from the original cartridge or from the ROM on my BennVenn flash cart. It crashes just after the title screen, but if I hit A quickly enough, I can bypass the broken section and get into the player selection screen.

 

So I want to see if I can disassemble the *.lnx file and hack the broken section out of it. I'll give it a go with the 6502bench tools.

 

Thanks again.

Share this post


Link to post
Share on other sites
1 hour ago, OldAtAtari said:

Oddly, my Lynx can't run Zarlor Mercenary, either from the original cartridge or from the ROM on my BennVenn flash cart. It crashes just after the title screen, but if I hit A quickly enough, I can bypass the broken section and get into the player selection screen.

 

Wow, that's interesting. This means, Zarlor does also not check _all_ ROM contents (like Gauntlet, which made it possible to start all BLL stuff).

  • Like 1

Share this post


Link to post
Share on other sites
29 minutes ago, 42bs said:

Wow, that's interesting. This means, Zarlor does also not check _all_ ROM contents (like Gauntlet, which made it possible to start all BLL stuff).

Yeah, interesting for sure, and disappointing. I was looking forward to playing this game. I'm not sure what checking _all_ ROM contents means. My guess was simply that my Lynx has a bad piece of RAM, and Zarlor was trying to reference that particular bad address, whereas perhaps my other games don't use that address. A simpleton kind of answer from a simpleton kind of guy.

 

 

Share this post


Link to post
Share on other sites
19 hours ago, 42bs said:

Wow, that's interesting. This means, Zarlor does also not check _all_ ROM contents (like Gauntlet, which made it possible to start all BLL stuff).

~Until now I have not seen any game which checks the complete rom.~

 

Seems I was wrong 😲

Edited by sage

Share this post


Link to post
Share on other sites
10 hours ago, sage said:

Until now I have not seen any game which checks the complete rom.

Ok, I haven't checked all of them. But Gauntlet makes a checksum over all but the first block. But only of the first 256 bytes.
 

Just looked into the bootloader of PowerFactor: Here they check all 1024 bytes of each block.

Share this post


Link to post
Share on other sites

Ok, yes, Zarlor Mercenary only checks the first 512 bytes of each block.

I checked it: Change a byte at n*1024+512 => Game starts. Change at n*1024 => game does not start.

Share this post


Link to post
Share on other sites

This is the code to look for in the boot sector:
 

_382	lda $31
	jsr $fe00
	lda $fcb0
	beq _38f
	jsr _24f
_38f	lda #$10
	sta $32
_393	sec
	ldx #$10
_396	lda $fcb2
	ldy #3
_39b	adc $fcb2
	dey
	bne _39b

This is for a 256K game (ldy #3 => sum up 4 bytes).
512K games have ldy #7.

128K games have no loop, so just sum up 2 bytes.

 

I picked 8 games, and all checked the correct number of bytes. So EPYX took the wrong boot sector.

  • Like 1

Share this post


Link to post
Share on other sites
23 minutes ago, 42bs said:

This is the code to look for in the boot sector:
 

_382	lda $31
	jsr $fe00
	lda $fcb0
	beq _38f
	jsr _24f
_38f	lda #$10
	sta $32
_393	sec
	ldx #$10
_396	lda $fcb2
	ldy #3
_39b	adc $fcb2
	dey
	bne _39b

This is for a 256K game (ldy #3 => sum up 4 bytes).
512K games have ldy #7.

128K games have no loop, so just sum up 2 bytes.

 

I picked 8 games, and all checked the correct number of bytes. So EPYX took the wrong boot sector.

42bs, thank you so much for looking into the Zarlor issue. I'm not sure what to make of your response, but it's 2am here, and I'm a bit tired. Not to mention that I'm a complete hack.

I've been trying to disassemble the zarlor *.lnx file tonight. Both with da65 and with 6502bench. Both mostly give me data lines, not code lines, and that boot sector isn't in there. With 6502bench, I assume that my problem is an incorrect .org line.

Either way, I'm done for tonight. I'll get back on it tomorrow. By the way, thanks again for starting this topic. The 6502bench software is really nice, and the instructions and tutorials are terrific. I just haven't been able to read enough of them yet to have a clue what I'm doing.

Share this post


Link to post
Share on other sites

Did some more checking, the first 6 games (from this list: Wikipedia:Lynx ) contain the same header, means they check only 256 bytes of each block and the load address of the title picture is unchecked.

From KLAX  on there is a new boot sector which contains also the load address of the title picture, so no Troian Horse possible which we used for BLL.

Share this post


Link to post
Share on other sites
8 minutes ago, OldAtAtari said:

I've been trying to disassemble the zarlor *.lnx file tonight. Both with da65 and with 6502bench. Both mostly give me data lines, not code lines, and that boot sector isn't in there. With 6502bench, I assume that my problem is an incorrect .org line.

The bootsector gets decoded by the ROM, so looking at it raw makes no sense.

Best is to load a game into Handybug, set a breakpoint at 0x200 and let it hit it two times. The decode bootsector is now from 0x200..0x3ff.

Share this post


Link to post
Share on other sites

 

There are only a few "different" loaders used. And the difference is small.

I am still sure that not the whole cart is checksummed (this would take a significant time)

 

grafik.thumb.png.199bb77dab5dbed3e5ba00c606c91016.png

Share this post


Link to post
Share on other sites
Name Typ Größe stage1 stage1 size stage2
Blue Lightning   512 type1 5 type1
California Games (128k)   512 type1 5 type1
Chip's Challenge (128k)   512 type1 5 type1
Electrocop (128k)   512 type1 5 type1
Gauntlet - The Third Encounter (128k)   512 type1 5 type1
Gates of Zendocon (128k)   512 type2 5 type2
Todd's Adventure in Slime World (128k)   512 type3b 3 type3_512
Asteroids and Missile Command   512 type3 3 type3_512
Basketbrawl   512 type3 3 type3_512
Battle Wheels (128k)   512 type3 3 type3_512
Block Out (128k)   512 type3 3 type3_512
Crystal Mines II (128k)   512 type3 3 type3_512
European Soccer Challenge (128k)   512 type3 3 type3_512
Hard Drivin' (128k)   512 type3 3 type3_512
Ishido - The Way of the Stones (128k)   512 type3 3 type3_512
Joust (128k)   512 type3 3 type3_512
Ms. Pac-Man (128k)   512 type3 3 type3_512
Pac-Land (128k)   512 type3 3 type3_512
Paperboy (128k)   512 type3 3 type3_512
Qix (128k)   512 type3 3 type3_512
Robo-Squash (128k)   512 type3 3 type3_512
Robotron 2084   512 type3 3 type3_512
Shanghai (128k)   512 type3 3 type3_512
Turbo Sub (128k)   512 type3 3 type3_512
Ultimate Chess Challenge (128k)   512 type3 3 type3_512
Warbirds (128k)   512 type3 3 type3_512
Xenophobe   512 type3 3 type3_512
Zarlor Mercenary (128k)   512 type3 3 type3_512
Atomic BLL 1024 type1 5 type1
Battling Chimera Taquin BLL 1024 type1 5 type1
bll BLL 1024 type1 5 type1
Championship Rally 256x1k BLL 1024 type1 5 type1
clicks BLL 1024 type1 5 type1
Conquest of Zow BLL 1024 type1 5 type1
DM_Dungeon_master BLL 1024 type1 5 type1
Dynalynx BLL 1024 type1 5 type1
FS-3_256k_AudioLo BLL 1024 type1 5 type1
Hyperdrome 128x1k BLL 1024 type1 5 type1
Kistenschieben BLL 1024 type1 5 type1
Lexis (Shadowsoft 1999) unclear 1024 type1 5 type1
LynxReloaded_128x1k BLL 1024 type1 5 type1
Marble Madness BLL 1024 type1 5 type1
Nonameyet BLL 1024 type1 5 type1
Puzzler 2000 BLL 1024 type1 5 type1
Rapide Racer BLL 1024 type1 5 type1
Remnant Special CGE2K Edition 64x1k BLL 1024 type1 5 type1
simis BLL 1024 type1 5 type1
Slideshow 256x1k BLL 1024 type1 5 type1
SokoMania 128x1k BLL 1024 type1 5 type1
Teenage BLL 1024 type1 5 type1
The return to the space coyote BLL 1024 type1 5 type1
v7SE BLL 1024 type1 5 type1
Wolf BLL 1024 type1 5 type1
yastuna2 BLL 1024 type1 5 type1
Zaku Public Demo (2005-11-13) BLL 1024 type1 5 type1
Othello 256x1k protected   1024 type2 5 type2
MegaPak Megapak 1024 type4 3 type4_1024
Zaku final Zaku 2048 type4 3 type4_2048
APB - All Points Bulletin   1024 type3 3 type3_1024
Awesome Golf   1024 type3 3 type3_1024
Baseball Heroes   1024 type3 3 type3_1024
Batman Returns   1024 type3 3 type3_1024
Battlezone 2000   1024 type3 3 type3_1024
Bill and Ted's   1024 type3 3 type3_1024
Bubble Trouble   1024 type3 3 type3_1024
Checkered Flag   1024 type3 3 type3_1024
CM2-Buried Treasure   1024 type3 3 type3_1024
Cybervirus 256x1k   1024 type3 3 type3_1024
Desert Strike   1024 type3 3 type3_1024
dgate   1024 type3 3 type3_1024
Dinolympics   1024 type3 3 type3_1024
Dirty Larry - Renegade Cop   1024 type3 3 type3_1024
Double Dragon   1024 type3 3 type3_1024
Dracula the Undead   1024 type3 3 type3_1024
Fat Bobby   1024 type3 3 type3_1024
Gordo 106 - The Mutated Lab Monkey   1024 type3 3 type3_1024
Hockey   1024 type3 3 type3_1024
Hydra   1024 type3 3 type3_1024
Klax   1024 type3 3 type3_1024
Krazy Ace Minature Golf   1024 type3 3 type3_1024
Kung Food   1024 type3 3 type3_1024
Lemmings   1024 type3 3 type3_1024
Lynx Casino   1024 type3 3 type3_1024
Malibu Bikini Volleyball   1024 type3 3 type3_1024
NFL Football   1024 type3 3 type3_1024
Ninja Gaiden   1024 type3 3 type3_1024
Pinball Jam   1024 type3 3 type3_1024
Power Factor   1024 type3 3 type3_1024
Rampage   1024 type3 3 type3_1024
Rampart   1024 type3 3 type3_1024
RoadBlasters   1024 type3 3 type3_1024
Rygar   1024 type3 3 type3_1024
S.T.U.N. Runner   1024 type3 3 type3_1024
Scrapyard Dog   1024 type3 3 type3_1024
Shadow of the Beast   1024 type3 3 type3_1024
Steel Talons   1024 type3 3 type3_1024
Super Off-Road   1024 type3 3 type3_1024
Super Skweek   1024 type3 3 type3_1024
Switchblade II   1024 type3 3 type3_1024
Toki   1024 type3 3 type3_1024
Tournament Cyberball 2072   1024 type3 3 type3_1024
Viking Child   1024 type3 3 type3_1024
World Class Soccer   1024 type3 3 type3_1024
Xybots   1024 type3 3 type3_1024
eotb_neu   2048 type3 3 type3_2048
Ninja Gaiden III - The Ancient Ship of Doom   2048 type3 3 type3_2048
Pit Fighter - The Ultimate Competition   2048 type3 3 type3_2048

Share this post


Link to post
Share on other sites

BLL - Loader or Type 1 (0xFB first byte)

Reads the directory entry for the title picture from the directory at 0x200 _before_ checksumming.

The hack was to replace the boot code with a faked image.

The checksumming only tests the first 256bytes of each block, even Electrocop which is a 256K (thus 1024 bytes per block) game.

 

The other official loader checksums _all_ of the card (exception so far Zarlor) and stores the directory entry for the title picture in the encrypted part.

 

And really, _all_ of the card is read.
 

Share this post


Link to post
Share on other sites

Gates of Zendocon is a Type 1 boot sector, means checks only the first 256bytes of each (but the first) block.

Share this post


Link to post
Share on other sites
1 hour ago, 42bs said:

Gates of Zendocon is a Type 1 boot sector, means checks only the first 256bytes of each (but the first) block.

grafik.thumb.png.68c3106583330e4178c7aa9ef5b48322.png

 

sure, i list it separate, because there are non trivial changes on the code.

(trivial changes are title picture address and the copied in values for entry0,1,hash (depending on stage1,stage2)

Share this post


Link to post
Share on other sites

Well, did not go that much into detail. But w.r.t the checksum, it is the same code as Gauntlet.

Share this post


Link to post
Share on other sites
2 hours ago, 42bs said:

The other official loader checksums _all_ of the card (exception so far Zarlor) and stores the directory entry for the title picture in the encrypted part.

 

And really, _all_ of the card is read.
 

Maybe that is the reason I immediately replace the loader when touching a rom ;-)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...