Help:Contents/Finding Content/Genesis research guide

Introduction
An example of how to find and enable a debug menu in a typical Genesis game. This guide will use the game Beyond Oasis.

Step 1
Search the binary for debug related text. Here's an area list beginning at which isn't seen during normal gameplay:

0005DB4D 5649 4C4C 4147 4500 1F45 4341 5049 5441 VILLAGE..ECAPITA 0005DB5D 4C00 1010 4841 5242 4F52 00            L...HARBOR etc.

Step 2
Find the text pointer table. In this case, it's located directly above the area list. It appears to begin at :

0005D95C 01EF 01F7 01FF                         ...... etc.


 * Ex 1: +  =  Village
 * Ex 2: +  =  Capital

It's important to note that pointer tables will often have have null as the first entry. The value at is. The table could begin at either or.

Some games, however, may not use indirect addresses to store pointers. In this case, you can do a binary search for the address of the message extended to 32 bits; for instance.

Step 3
Search for hex string and.

In both cases, no results found. Don't give up just yet...

Step 4
Look around the range to see what else is nearby. Right above it there's this, it's the start of another pointer table:

0005D918 0040 007A                              .@.z etc.


 * Ex : +  =

This suggests the area list is divided up into multiple pages.

Step 5
Search for hex string.

A result is found at. 00004D5B 05D918

...which is part of this operation

00:4D58 41 F9  LEA     ($0005D918),A0

This is without a doubt the programming for the area select, and good news that it still exists!

Step 6
Look at the surrounding programming, and try to determine where the routine starts:

00004D4C 4E75 4A79 00FF 1658 6600 016C 41F9 0005 NuJy...Xf..lA... 00004D5C D918                                   ..

is the from the previous sub. The entry point is.

Step 7
Find the programming that leads to. Look nearby, and this turns up:

00:4CDE 61 00  BSR     #$006E [00:4D4E]

Step 8
Look at the surrounding programming, and try to determine where the routine starts:

00004C66 4E75 1CEB F314 F020 58E2 1B4B F020 4E00 Nu..... X..K. N. 00004C76 0040 EDDC 0B0B CA33 FCEF 5725 F006 0000 .@.....3..W%.... 00004C86 4537 111B F020 4411 0903 F020 1829 2800 E7... D.... .)(. 00004C96 F020 4100 0000 4240. A...B@

is the from the previous sub. The block is data, not program code. The entry point is :

00:4C9C 42 40  CLR.W   D0

Step 9
Find the programming that leads to.

Here, the trail goes cold. No branches appear to go to. It would seem that it's no longer connected to the main progam (although with the large number of branch types available, it's hard to be 100 percent certain...) However, it's still possible to work with the knowledge obtained.

Step 10
Using a debugger (e.g., Gens Tracer), have a trace log active as you play the game. Only a few minutes are necessary, but in that time try to get as much variety as possible - let the full intro and demo modes run, open all the different menus, get a game over, etc.

Step 11
Check the trace log and find the two closest points to. The goal is to determine where this area select might have been accessed (e.g., title screen, pause screen, etc.) The two closest points found:

00:4C66 4E 75  RTS (this was seen in step 8)

and

00:5074 61 00  BSR     #$FFFFF220 [00:4296]

Step 12
Using a debugger (e.g., Regen), have execute breakpoints on those two addresses as you play the game. The first,, will trigger when you open the map. The second,, will trigger when you open the status screen.

Step 13
Find where the game branches to.

00:3DDE 67 00  BEQ     #$1294 [00:5074]

This operation is part of the programming that determines what icon you selected from the main menu during gameplay. It makes a lot more sense with comments:

00:3DCC 10 39  MOVE.b  ($00FF185C),D0   //index of icon highlighted on the main menu 00:3DD2 67 00  BEQ     #$0642 [00:4416] //Weapon 00:3DD6 53 00  SUBQ.B  #1,D0 00:3DD8 67 00  BEQ     #$090A [00:46E4] //Item 00:3DDC 53 00  SUBQ.B  #1,D0 00:3DDE 67 00  BEQ     #$1294 [00:5074] //Status 00:3DE2 53 00  SUBQ.B  #1,D0 00:3DE4 67 00  BEQ     #$0B66 [00:494C] //Map 00:3DE8 53 00  SUBQ.B  #1,D0 00:3DEA 67 00  BEQ     #$1686 [00:5472] //Save

Step 14
As an experiment, use a game enhancer code to replace one of these branches with the suspected start address of the area select:

Before 00:3DE4 67 00  BEQ     #$0B66 [00:494C] After 00:3DE4 67 00  BEQ     #$0EB6 [00:4C9C]

This translates to Action Replay code or Game Genie code.

Step 15
Success!

The area select appears when you select the Map icon from the in-game main menu.

During development, there was likely another icon present on the in-game main menu for the area select, and then it was removed for the final build. Perhaps the icon graphic is still buried in there somewhere...