Notes:Gimmick!

Copy Protection Code
At in the ROM is the following code:

08:8021:BD 50 03  LDA $0350,X  // load sprite ID from active sprite list 08:8024:C9 AA     CMP #$AA     // is it #AA? 08:8026:D0 05     BNE $802D    // if no, carry on 08:8028:20 21 8F   JSR $8F21    // if yes, jump to copy protection routine

This code is run whenever any sprites (aside from Gimmick himself) are on the screen. The sprite ID it's looking for, #AA, is the little black bug crawling on the castle in stage 7:



As soon as the bug is loaded into RAM, this code is run, at :

08:8F21:A0 1B     LDY #$1B     // load ROM bank #1B (intro text/routines) 08:8F23:20 5E F0  JSR $F05E 08:8F26:A2 00     LDX #$00 08:8F28:BD 5F 8F  LDA $8F5F,X  // load address from ROM check list 08:8F2B:85 01     STA $0001    // store in temp RAM 08:8F2D:E8        INX 08:8F2E:BD 5F 8F  LDA $8F5F,X 08:8F31:85 00     STA $0000 08:8F33:E8        INX 08:8F34:A0 00     LDY #$00 08:8F36:B1 00     LDA ($00),Y  // load byte from address in temp RAM 08:8F38:DD 5F 8F  CMP $8F5F,X  // compare with ROM check list 08:8F3B:D0 0D     BNE $8F4A    // if it doesn't match, UH OH! BUSTED! 08:8F3D:E8        INX          // otherwise, continue to next byte/address 08:8F3E:C8        INY 08:8F3F:C0 04     CPY #$04 08:8F41:D0 F3     BNE $8F36 08:8F43:E0 1E     CPX #$1E 08:8F45:90 E1     BCC $8F28 08:8F47:A9 AA     LDA #$AA     // if ROM checks out, reload sprite ID #AA 08:8F49:60        RTS          // return to sprite processing

ROM check list @ 0x20F6F (first two digits in each line): BB 9F FB 9B 1C 9C // pointers to "GIMMICK!" and "© 1992 SUNSOFT" BC 3C 14 0F 0D 0F // "TOMO" (unused string) A8 70 0F C9 04 D0 // part of code that checks whether last text page has been displayed E0 A4 A0 1B 20 51 // code that loads and jumps to intro text bank E0 A8 F0 20 00 80

TOMO is a reference to Tomomi Sakae, the designer and programmer.

This code checks a few strings and pointers in the bank where the intro text and display routines are stored, as well as some code in the fixed bank. If any of these bytes are changed (e.g. to skip or alter the text), the following routine is activated, at :

08:8F4A:A2 00     LDX #$00     // UH OH! BUSTED! 08:8F4C:BD 7D 8F  LDA $8F7D,X  // load encrypted byte 08:8F4F:49 AC     EOR #$AC     // do some simple decryption on it... 08:8F51:38         SEC 08:8F52:E9 07     SBC #$07 08:8F54:9D 00 05  STA $0500,X  // ...and store it in RAM 08:8F57:E8        INX 08:8F58:E0 60     CPX #$60     // continue until all 96 bytes are decrypted... 08:8F5A:90 F0      BCC $8F4C 08:8F5C:4C 00 05  JMP $0500    // ...and jump to $0500 (start of decrypted routine in RAM)

This is where things get really interesting. At is a 96-byte block of seemingly innocuous data, which in reality is an XOR-encrypted routine! This is decrypted and copied to in RAM, where it is then executed. This is what displays the BLACK HOLE text and locks up the game.

Here is the decrypted routine, with the important bits commented:


 * 0500:A9 FF     LDA #$FF
 * 0502:85 29     STA $0029
 * 0504:20 9F F2  JSR $F29F
 * 0507:A9 00     LDA #$00
 * 0509:85 FD     STA $00FD
 * 050B:85 FC     STA $00FC
 * 050D:A5 FF     LDA $00FF
 * 050F:29 FC     AND #$FC
 * 0511:85 FF     STA $00FF
 * 0513:A9 00     LDA #$00     // blank screen
 * 0515:A2 20     LDX #$20
 * 0517:A0 00     LDY #$00
 * 0519:20 2E F3  JSR $F32E
 * 051C:AD 02 20  LDA $2002
 * 051F:A9 21     LDA #$21     // set screen address $21A7
 * 0521:8D 06 20  STA $2006
 * 0524:A9 A7     LDA #$A7
 * 0526:8D 06 20  STA $2006
 * 0529:A2 00     LDX #$00
 * 052B:BD 4F 05  LDA $054F,X  // load BLACK HOLE text
 * 052E:8D 07 20  STA $2007    // write to screen
 * 0531:E8        INX
 * 0532:E0 11     CPX #$11
 * 0534:D0 F5     BNE $052B
 * 0536:A9 00     LDA #$00
 * 0538:85 4A     STA $004A
 * 053A:A9 01     LDA #$01
 * 053C:85 E9     STA $00E9
 * 053E:20 5B F3  JSR $F35B
 * 0541:A9 00     LDA #$00
 * 0543:85 29     STA $0029
 * 0545:A9 40     LDA #$40      // load font into background CHR
 * 0547:85 E5     STA $00E5
 * 0549:20 96 F2  JSR $F296
 * 054C:4C 91 FF  JMP $FF91     // jump to infinite loop

Text string @ $054F: 00 00 00 00 02 0C 01 03 0B 00 08 0F 0C 05 00 00 00 __ __ __ __ B L  A  C  K  __ H  O  L  E  __ __ __

It's worth noting that none of this code is ever executed in the European version, as the triggering sprite ID was changed to #FE, which never appears during normal gameplay.