If you appreciate the work done within the wiki, please consider supporting The Cutting Room Floor on Patreon. Thanks for all your support!

Notes:Mr. Gimmick

From The Cutting Room Floor
(Redirected from Notes:Gimmick!)
Jump to navigation Jump to search

This page contains notes for the game Mr. Gimmick.

Copy Protection Code

At 0x20031 in the ROM is the following code:

08:8021:BD 50 03   LDA $0350,X  // load sprite ID from active sprite list 
08:8024:C9 AA      CMP #$AA     // is it #AA? 
08:8026:D0 05      BNE $802D    // if no, carry on 
08:8028:20 21 8F   JSR $8F21    // if yes, jump to copy protection routine

This code is run whenever any sprites (aside from Yumetarō himself) are on the screen. The sprite ID it's looking for, #AA, is the little black bug crawling on the castle in the secret Stage 7:

If you made it this far, then the bug spared you!

As soon as the bug is loaded into RAM, this code is run, at 0x20F31:

08:8F21:A0 1B      LDY #$1B     // load ROM bank #1B (intro text/routines) 
08:8F23:20 5E F0   JSR $F05E 
08:8F26:A2 00      LDX #$00 
08:8F28:BD 5F 8F   LDA $8F5F,X  // load address from ROM check list 
08:8F2B:85 01      STA $0001    // store in temp RAM 
08:8F2D:E8         INX 
08:8F2E:BD 5F 8F   LDA $8F5F,X 
08:8F31:85 00      STA $0000 
08:8F33:E8         INX 
08:8F34:A0 00      LDY #$00 
08:8F36:B1 00      LDA ($00),Y  // load byte from address in temp RAM 
08:8F38:DD 5F 8F   CMP $8F5F,X  // compare with ROM check list 
08:8F3B:D0 0D      BNE $8F4A    // if it doesn't match, UH OH! BUSTED! 
08:8F3D:E8         INX          // otherwise, continue to next byte/address 
08:8F3E:C8         INY 
08:8F3F:C0 04      CPY #$04 
08:8F41:D0 F3      BNE $8F36 
08:8F43:E0 1E      CPX #$1E 
08:8F45:90 E1      BCC $8F28 
08:8F47:A9 AA      LDA #$AA     // if ROM checks out, reload sprite ID #AA 
08:8F49:60         RTS          // return to sprite processing 

ROM check list @ 0x20F6F (first two digits in each line): 
BB 9F FB 9B 1C 9C  // pointers to "GIMMICK!" and "© 1992 SUNSOFT" 
BC 3C 14 0F 0D 0F  // "TOMO" (unused string) 
A8 70 0F C9 04 D0  // part of code that checks whether last text page has been displayed 
E0 A4 A0 1B 20 51  // code that loads and jumps to intro text bank 
E0 A8 F0 20 00 80

"TOMO" refers to Tomomi Sakae, the game's designer and programmer.

This code checks a few strings and pointers in the bank where the intro text and display routines are stored, as well as some code in the fixed bank. If any of these bytes are changed (e.g. to skip or alter the text), the following routine is activated at 0x20F5A:

08:8F4A:A2 00      LDX #$00     // UH OH! BUSTED! 
08:8F4C:BD 7D 8F   LDA $8F7D,X  // load encrypted byte 
08:8F4F:49 AC      EOR #$AC     // do some simple decryption on it... 
08:8F51:38         SEC 
08:8F52:E9 07      SBC #$07 
08:8F54:9D 00 05   STA $0500,X  // ...and store it in RAM 
08:8F57:E8         INX 
08:8F58:E0 60      CPX #$60     // continue until all 96 bytes are decrypted... 
08:8F5A:90 F0      BCC $8F4C 
08:8F5C:4C 00 05   JMP $0500    // ...and jump to $0500 (start of decrypted routine in RAM)

This is where things get really interesting. At 0x20F8D is a 96-byte block of seemingly innocuous data, which, in reality, is an XOR-encrypted routine! This is decrypted and copied to $0500-$055F in RAM, where it is then executed. This is what displays the "BLACK HOLE" text and locks up the game.

Here is the decrypted routine, with the important bits commented:

:0500:A9 FF      LDA #$FF 
:0502:85 29      STA $0029 
:0504:20 9F F2   JSR $F29F 
:0507:A9 00      LDA #$00 
:0509:85 FD      STA $00FD 
:050B:85 FC      STA $00FC 
:050D:A5 FF      LDA $00FF 
:050F:29 FC      AND #$FC 
:0511:85 FF      STA $00FF 
:0513:A9 00      LDA #$00     // blank screen 
:0515:A2 20      LDX #$20 
:0517:A0 00      LDY #$00 
:0519:20 2E F3   JSR $F32E 
:051C:AD 02 20   LDA $2002 
:051F:A9 21      LDA #$21     // set screen address $21A7 
:0521:8D 06 20   STA $2006 
:0524:A9 A7      LDA #$A7 
:0526:8D 06 20   STA $2006 
:0529:A2 00      LDX #$00 
:052B:BD 4F 05   LDA $054F,X  // load BLACK HOLE text 
:052E:8D 07 20   STA $2007    // write to screen 
:0531:E8         INX 
:0532:E0 11      CPX #$11 
:0534:D0 F5      BNE $052B 
:0536:A9 00      LDA #$00 
:0538:85 4A      STA $004A 
:053A:A9 01      LDA #$01 
:053C:85 E9      STA $00E9 
:053E:20 5B F3   JSR $F35B 
:0541:A9 00      LDA #$00 
:0543:85 29      STA $0029 
:0545:A9 40      LDA #$40      // load font into background CHR 
:0547:85 E5      STA $00E5
:0549:20 96 F2   JSR $F296 
:054C:4C 91 FF   JMP $FF91     // jump to infinite loop 

Text string @ $054F: 
00 00 00 00 02 0C 01 03 0B 00 08 0F 0C 05 00 00 00 
__ __ __ __ B  L  A  C  K  __ H  O  L  E  __ __ __

It's worth noting that none of this code is ever executed in either the Scandinavian version or the US localization prototype; During its development, the triggering sprite ID was changed to #FE, which never appears during normal gameplay.