Help:Contents/Finding Content/Systems/Genesis
Contents
Finding a Debug Menu
An example of how to find and enable a debug menu in a typical Genesis game. This guide will use Beyond Oasis.
Step 1
Search the binary for debug-related text. Here's an area list beginning at 05DB4D which isn't seen during normal gameplay:
0005DB4D 5649 4C4C 4147 4500 1F45 4341 5049 5441 VILLAGE..ECAPITA 0005DB5D 4C00 1010 4841 5242 4F52 00 L...HARBOR etc.
Step 2
Find the text pointer table. In this case, it's located directly above the area list. It appears to begin at 05D95C:
0005D95C 01EF 01F7 01FF ...... etc.
- Ex 1: 01EF + 05D95E = 05DB4D Village
- Ex 2: 01F7 + 05D960 = 05DB57 Capital
It's important to note that pointer tables will often have have null as the first entry. The value at 05D95A is 0000. The table could begin at either 05D95A or 05D95C.
Some games, however, may not use indirect addresses to store pointers. In this case, you can do a binary search for the address of the message extended to 32 bits; for instance, 00 05 DB 4D.
Step 3
Search for hex string 05D95A and 05D95C.
In both cases, no results found. Don't give up just yet...
Step 4
Look around the 05D95A range to see what else is nearby. Right above it there's this, the start of another pointer table:
0005D918 0040 007A .@.z etc.
- Ex: 05D91A + 0040 = 05D95A
This suggests the area list is divided up into multiple pages.
Step 5
Search for hex string 05D918.
A result is found at 004D5B:
00004D5B 05D918
...which is part of this operation:
00:4D58 41 F9 LEA ($0005D918),A0
This is without a doubt the programming for the area select, and good news that it still exists!
Step 6
Look at the surrounding programming, and try to determine where the routine starts:
00004D4C 4E75 4A79 00FF 1658 6600 016C 41F9 0005 NuJy...Xf..lA... 00004D5C D918 ..
4E 75 is the RTS from the previous sub. The entry point is 4D4E.
Step 7
Find the programming that leads to 4D4E. Look nearby, and this turns up:
00:4CDE 61 00 BSR #$006E [00:4D4E]
Step 8
Look at the surrounding programming, and try to determine where the routine starts:
00004C66 4E75 1CEB F314 F020 58E2 1B4B F020 4E00 Nu..... X..K. N. 00004C76 0040 EDDC 0B0B CA33 FCEF 5725 F006 0000 .@.....3..W%.... 00004C86 4537 111B F020 4411 0903 F020 1829 2800 E7... D.... .)(. 00004C96 F020 4100 0000 4240 . A...B@
4E 75 is the RTS from the previous sub. The block 4C68-4C9B is data, not program code. The entry point is 4C9C:
00:4C9C 42 40 CLR.W D0
Step 9
Find the programming that leads to 4C9C.
Here, the trail goes cold. No branches appear to go to 4C9C. It would seem that it's no longer connected to the main progam (although with the large number of branch types available, it's hard to be 100% certain). However, it's still possible to work with the knowledge obtained.
Step 10
Using a debugger (e.g., Gens Tracer), have a trace log active as you play the game. Only a few minutes are necessary, but in that time try to get as much variety as possible - let the full intro and demo modes run, open all the different menus, get a game over, etc.
Step 11
Check the trace log and find the two closest points to 4C9C. The goal is to determine where this area select might have been accessed (e.g., title screen, pause screen, etc.). The two closest points found:
00:4C66 4E 75 RTS
(this was seen in step 8)
and
00:5074 61 00 BSR #$FFFFF220 [00:4296]
Step 12
Using a debugger (e.g., Regen), have execute breakpoints on those two addresses as you play the game. The first, 4C66, will trigger when you open the map. The second, 5074, will trigger when you open the status screen.
Step 13
Find where the game branches to 5074.
00:3DDE 67 00 BEQ #$1294 [00:5074]
This operation is part of the programming that determines what icon you selected from the main menu during gameplay. It makes a lot more sense with comments:
00:3DCC 10 39 MOVE.b ($00FF185C),D0 //index of icon highlighted on the main menu 00:3DD2 67 00 BEQ #$0642 [00:4416] //Weapon 00:3DD6 53 00 SUBQ.B #1,D0 00:3DD8 67 00 BEQ #$090A [00:46E4] //Item 00:3DDC 53 00 SUBQ.B #1,D0 00:3DDE 67 00 BEQ #$1294 [00:5074] //Status 00:3DE2 53 00 SUBQ.B #1,D0 00:3DE4 67 00 BEQ #$0B66 [00:494C] //Map 00:3DE8 53 00 SUBQ.B #1,D0 00:3DEA 67 00 BEQ #$1686 [00:5472] //Save
Step 14
As an experiment, use a game enhancer code to replace one of these branches with the suspected start address of the area select:
Before
00:3DE4 67 00 BEQ #$0B66 [00:494C]
After
00:3DE4 67 00 BEQ #$0EB6 [00:4C9C]
This translates to Action Replay code 003DE6:0EB6 or Game Genie code 028T-A6HG.
Step 15
Success!
The area select appears when you select the Map icon from the in-game main menu.
During development, there was likely another icon present on the in-game main menu for the area select, and then it was removed for the final build. Perhaps the icon graphic is still buried in there somewhere...