Please consider supporting The Cutting Room Floor on Patreon. Thanks for all your support!

Help:Contents/Finding Content/Genesis research guide

From The Cutting Room Floor
Jump to: navigation, search

Introduction

An example of how to find and enable a debug menu in a typical Genesis game. This guide will use the game Beyond Oasis.

Step 1

Search the binary for debug related text. Here's an area list beginning at 05DB4D which isn't seen during normal gameplay:

0005DB4D 5649 4C4C 4147 4500 1F45 4341 5049 5441 VILLAGE..ECAPITA
0005DB5D 4C00 1010 4841 5242 4F52 00             L...HARBOR
etc.

Step 2

Find the text pointer table. In this case, it's located directly above the area list. It appears to begin at 05D95C:

0005D95C 01EF 01F7 01FF                          ......
etc.
  • Ex 1: 01EF + 05D95E = 05DB4D Village
  • Ex 2: 01F7 + 05D960 = 05DB57 Capital

It's important to note that pointer tables will often have have null as the first entry. The value at 05D95A is 0000. The table could begin at either 05D95A or 05D95C.

Some games, however, may not use indirect addresses to store pointers. In this case, you can do a binary search for the address of the message extended to 32 bits; for instance 00 05 DB 4D.

Step 3

Search for hex string 05D95A and 05D95C.

In both cases, no results found. Don't give up just yet...

Step 4

Look around the 05D95A range to see what else is nearby. Right above it there's this, it's the start of another pointer table:

0005D918 0040 007A                               .@.z
etc.
  • Ex : 05D91A + 0040 = 05D95A

This suggests the area list is divided up into multiple pages.

Step 5

Search for hex string 05D918.

A result is found at 004D5B.

00004D5B 05D918

...which is part of this operation

00:4D58  41 F9  LEA     ($0005D918),A0

This is without a doubt the programming for the area select, and good news that it still exists!

Step 6

Look at the surrounding programming, and try to determine where the routine starts:

00004D4C 4E75 4A79 00FF 1658 6600 016C 41F9 0005 NuJy...Xf..lA...
00004D5C D918                                    ..

4E 75 is the RTS from the previous sub. The entry point is 4D4E.

Step 7

Find the programming that leads to 4D4E. Look nearby, and this turns up:

00:4CDE  61 00  BSR     #$006E [00:4D4E]

Step 8

Look at the surrounding programming, and try to determine where the routine starts:

00004C66 4E75 1CEB F314 F020 58E2 1B4B F020 4E00 Nu..... X..K. N.
00004C76 0040 EDDC 0B0B CA33 FCEF 5725 F006 0000 .@.....3..W%....
00004C86 4537 111B F020 4411 0903 F020 1829 2800 E7... D.... .)(.
00004C96 F020 4100 0000 4240                     . A...B@

4E 75 is the RTS from the previous sub. The block 4C68-4C9B is data, not program code. The entry point is 4C9C:

00:4C9C  42 40  CLR.W   D0

Step 9

Find the programming that leads to 4C9C.

Here, the trail goes cold. No branches appear to go to 4C9C. It would seem that it's no longer connected to the main progam (although with the large number of branch types available, it's hard to be 100 percent certain...) However, it's still possible to work with the knowledge obtained.

Step 10

Using a debugger (e.g., Gens Tracer), have a trace log active as you play the game. Only a few minutes are necessary, but in that time try to get as much variety as possible - let the full intro and demo modes run, open all the different menus, get a game over, etc.

Step 11

Check the trace log and find the two closest points to 4C9C. The goal is to determine where this area select might have been accessed (e.g., title screen, pause screen, etc.) The two closest points found:

00:4C66  4E 75  RTS

(this was seen in step 8)

and

00:5074  61 00  BSR     #$FFFFF220 [00:4296]

Step 12

Using a debugger (e.g., Regen), have execute breakpoints on those two addresses as you play the game. The first, 4C66, will trigger when you open the map. The second, 5074, will trigger when you open the status screen.

Step 13

Find where the game branches to 5074.

00:3DDE  67 00  BEQ     #$1294 [00:5074]

This operation is part of the programming that determines what icon you selected from the main menu during gameplay. It makes a lot more sense with comments:

00:3DCC  10 39  MOVE.b  ($00FF185C),D0   //index of icon highlighted on the main menu
00:3DD2  67 00  BEQ     #$0642 [00:4416] //Weapon
00:3DD6  53 00  SUBQ.B  #1,D0
00:3DD8  67 00  BEQ     #$090A [00:46E4] //Item
00:3DDC  53 00  SUBQ.B  #1,D0
00:3DDE  67 00  BEQ     #$1294 [00:5074] //Status
00:3DE2  53 00  SUBQ.B  #1,D0
00:3DE4  67 00  BEQ     #$0B66 [00:494C] //Map
00:3DE8  53 00  SUBQ.B  #1,D0
00:3DEA  67 00  BEQ     #$1686 [00:5472] //Save

Step 14

As an experiment, use a game enhancer code to replace one of these branches with the suspected start address of the area select:

Before

00:3DE4  67 00  BEQ     #$0B66 [00:494C]

After

00:3DE4  67 00  BEQ     #$0EB6 [00:4C9C]

This translates to Action Replay code 003DE6:0EB6 or Game Genie code 028T-A6HG.

Step 15

Success!

The area select appears when you select the Map icon from the in-game main menu.

During development, there was likely another icon present on the in-game main menu for the area select, and then it was removed for the final build. Perhaps the icon graphic is still buried in there somewhere...