If you've blocked our ad, please consider unblocking it.
We promise it isn't annoying. No flash, no sound, ever.
This page contains notes for the game Gimmick!.
Copy Protection Code
At 0x20031 in the ROM is the following code:
08:8021:BD 50 03 LDA $0350,X // load sprite ID from active sprite list 08:8024:C9 AA CMP #$AA // is it #AA? 08:8026:D0 05 BNE $802D // if no, carry on 08:8028:20 21 8F JSR $8F21 // if yes, jump to copy protection routine
This code is run whenever any sprites (aside from Yumetarō himself) are on the screen. The sprite ID it's looking for, #AA, is the little black bug crawling on the castle in stage 7:
As soon as the bug is loaded into RAM, this code is run, at 0x20F31:
08:8F21:A0 1B LDY #$1B // load ROM bank #1B (intro text/routines) 08:8F23:20 5E F0 JSR $F05E 08:8F26:A2 00 LDX #$00 08:8F28:BD 5F 8F LDA $8F5F,X // load address from ROM check list 08:8F2B:85 01 STA $0001 // store in temp RAM 08:8F2D:E8 INX 08:8F2E:BD 5F 8F LDA $8F5F,X 08:8F31:85 00 STA $0000 08:8F33:E8 INX 08:8F34:A0 00 LDY #$00 08:8F36:B1 00 LDA ($00),Y // load byte from address in temp RAM 08:8F38:DD 5F 8F CMP $8F5F,X // compare with ROM check list 08:8F3B:D0 0D BNE $8F4A // if it doesn't match, UH OH! BUSTED! 08:8F3D:E8 INX // otherwise, continue to next byte/address 08:8F3E:C8 INY 08:8F3F:C0 04 CPY #$04 08:8F41:D0 F3 BNE $8F36 08:8F43:E0 1E CPX #$1E 08:8F45:90 E1 BCC $8F28 08:8F47:A9 AA LDA #$AA // if ROM checks out, reload sprite ID #AA 08:8F49:60 RTS // return to sprite processing ROM check list @ 0x20F6F (first two digits in each line): BB 9F FB 9B 1C 9C // pointers to "GIMMICK!" and "© 1992 SUNSOFT" BC 3C 14 0F 0D 0F // "TOMO" (unused string) A8 70 0F C9 04 D0 // part of code that checks whether last text page has been displayed E0 A4 A0 1B 20 51 // code that loads and jumps to intro text bank E0 A8 F0 20 00 80
TOMO is a reference to Tomomi Sakae, the designer and programmer.
This code checks a few strings and pointers in the bank where the intro text and display routines are stored, as well as some code in the fixed bank. If any of these bytes are changed (e.g. to skip or alter the text), the following routine is activated, at 0x20F5A:
08:8F4A:A2 00 LDX #$00 // UH OH! BUSTED! 08:8F4C:BD 7D 8F LDA $8F7D,X // load encrypted byte 08:8F4F:49 AC EOR #$AC // do some simple decryption on it... 08:8F51:38 SEC 08:8F52:E9 07 SBC #$07 08:8F54:9D 00 05 STA $0500,X // ...and store it in RAM 08:8F57:E8 INX 08:8F58:E0 60 CPX #$60 // continue until all 96 bytes are decrypted... 08:8F5A:90 F0 BCC $8F4C 08:8F5C:4C 00 05 JMP $0500 // ...and jump to $0500 (start of decrypted routine in RAM)
This is where things get really interesting. At 0x20F8D is a 96-byte block of seemingly innocuous data, which in reality is an XOR-encrypted routine! This is decrypted and copied to $0500-$055F in RAM, where it is then executed. This is what displays the BLACK HOLE text and locks up the game.
Here is the decrypted routine, with the important bits commented:
:0500:A9 FF LDA #$FF :0502:85 29 STA $0029 :0504:20 9F F2 JSR $F29F :0507:A9 00 LDA #$00 :0509:85 FD STA $00FD :050B:85 FC STA $00FC :050D:A5 FF LDA $00FF :050F:29 FC AND #$FC :0511:85 FF STA $00FF :0513:A9 00 LDA #$00 // blank screen :0515:A2 20 LDX #$20 :0517:A0 00 LDY #$00 :0519:20 2E F3 JSR $F32E :051C:AD 02 20 LDA $2002 :051F:A9 21 LDA #$21 // set screen address $21A7 :0521:8D 06 20 STA $2006 :0524:A9 A7 LDA #$A7 :0526:8D 06 20 STA $2006 :0529:A2 00 LDX #$00 :052B:BD 4F 05 LDA $054F,X // load BLACK HOLE text :052E:8D 07 20 STA $2007 // write to screen :0531:E8 INX :0532:E0 11 CPX #$11 :0534:D0 F5 BNE $052B :0536:A9 00 LDA #$00 :0538:85 4A STA $004A :053A:A9 01 LDA #$01 :053C:85 E9 STA $00E9 :053E:20 5B F3 JSR $F35B :0541:A9 00 LDA #$00 :0543:85 29 STA $0029 :0545:A9 40 LDA #$40 // load font into background CHR :0547:85 E5 STA $00E5 :0549:20 96 F2 JSR $F296 :054C:4C 91 FF JMP $FF91 // jump to infinite loop Text string @ $054F: 00 00 00 00 02 0C 01 03 0B 00 08 0F 0C 05 00 00 00 __ __ __ __ B L A C K __ H O L E __ __ __
It's worth noting that none of this code is ever executed in the European version, as the triggering sprite ID was changed to #FE, which never appears during normal gameplay.