The Cutting Room Floor now has a Patreon page. Thanks for all your support!

If you've blocked our ad, please consider unblocking it.
We promise it isn't annoying. No flash, no sound, ever.

Ads by Project Wonderful! Your ad here, right now: $0


From The Cutting Room Floor
Jump to: navigation, search
This page contains notes for the game Gimmick!.

Copy Protection Code

At 0x20031 in the ROM is the following code:

08:8021:BD 50 03   LDA $0350,X  // load sprite ID from active sprite list 
08:8024:C9 AA      CMP #$AA     // is it #AA? 
08:8026:D0 05      BNE $802D    // if no, carry on 
08:8028:20 21 8F   JSR $8F21    // if yes, jump to copy protection routine

This code is run whenever any sprites (aside from Yumetarō himself) are on the screen. The sprite ID it's looking for, #AA, is the little black bug crawling on the castle in stage 7:

Gimmick bugsprite.png

As soon as the bug is loaded into RAM, this code is run, at 0x20F31:

08:8F21:A0 1B      LDY #$1B     // load ROM bank #1B (intro text/routines) 
08:8F23:20 5E F0   JSR $F05E 
08:8F26:A2 00      LDX #$00 
08:8F28:BD 5F 8F   LDA $8F5F,X  // load address from ROM check list 
08:8F2B:85 01      STA $0001    // store in temp RAM 
08:8F2D:E8         INX 
08:8F2E:BD 5F 8F   LDA $8F5F,X 
08:8F31:85 00      STA $0000 
08:8F33:E8         INX 
08:8F34:A0 00      LDY #$00 
08:8F36:B1 00      LDA ($00),Y  // load byte from address in temp RAM 
08:8F38:DD 5F 8F   CMP $8F5F,X  // compare with ROM check list 
08:8F3B:D0 0D      BNE $8F4A    // if it doesn't match, UH OH! BUSTED! 
08:8F3D:E8         INX          // otherwise, continue to next byte/address 
08:8F3E:C8         INY 
08:8F3F:C0 04      CPY #$04 
08:8F41:D0 F3      BNE $8F36 
08:8F43:E0 1E      CPX #$1E 
08:8F45:90 E1      BCC $8F28 
08:8F47:A9 AA      LDA #$AA     // if ROM checks out, reload sprite ID #AA 
08:8F49:60         RTS          // return to sprite processing 

ROM check list @ 0x20F6F (first two digits in each line): 
BB 9F FB 9B 1C 9C  // pointers to "GIMMICK!" and "© 1992 SUNSOFT" 
BC 3C 14 0F 0D 0F  // "TOMO" (unused string) 
A8 70 0F C9 04 D0  // part of code that checks whether last text page has been displayed 
E0 A4 A0 1B 20 51  // code that loads and jumps to intro text bank 
E0 A8 F0 20 00 80

TOMO is a reference to Tomomi Sakae, the designer and programmer.

This code checks a few strings and pointers in the bank where the intro text and display routines are stored, as well as some code in the fixed bank. If any of these bytes are changed (e.g. to skip or alter the text), the following routine is activated, at 0x20F5A:

08:8F4A:A2 00      LDX #$00     // UH OH! BUSTED! 
08:8F4C:BD 7D 8F   LDA $8F7D,X  // load encrypted byte 
08:8F4F:49 AC      EOR #$AC     // do some simple decryption on it... 
08:8F51:38         SEC 
08:8F52:E9 07      SBC #$07 
08:8F54:9D 00 05   STA $0500,X  // ...and store it in RAM 
08:8F57:E8         INX 
08:8F58:E0 60      CPX #$60     // continue until all 96 bytes are decrypted... 
08:8F5A:90 F0      BCC $8F4C 
08:8F5C:4C 00 05   JMP $0500    // ...and jump to $0500 (start of decrypted routine in RAM)

This is where things get really interesting. At 0x20F8D is a 96-byte block of seemingly innocuous data, which in reality is an XOR-encrypted routine! This is decrypted and copied to $0500-$055F in RAM, where it is then executed. This is what displays the BLACK HOLE text and locks up the game.

Here is the decrypted routine, with the important bits commented:

:0500:A9 FF      LDA #$FF 
:0502:85 29      STA $0029 
:0504:20 9F F2   JSR $F29F 
:0507:A9 00      LDA #$00 
:0509:85 FD      STA $00FD 
:050B:85 FC      STA $00FC 
:050D:A5 FF      LDA $00FF 
:050F:29 FC      AND #$FC 
:0511:85 FF      STA $00FF 
:0513:A9 00      LDA #$00     // blank screen 
:0515:A2 20      LDX #$20 
:0517:A0 00      LDY #$00 
:0519:20 2E F3   JSR $F32E 
:051C:AD 02 20   LDA $2002 
:051F:A9 21      LDA #$21     // set screen address $21A7 
:0521:8D 06 20   STA $2006 
:0524:A9 A7      LDA #$A7 
:0526:8D 06 20   STA $2006 
:0529:A2 00      LDX #$00 
:052B:BD 4F 05   LDA $054F,X  // load BLACK HOLE text 
:052E:8D 07 20   STA $2007    // write to screen 
:0531:E8         INX 
:0532:E0 11      CPX #$11 
:0534:D0 F5      BNE $052B 
:0536:A9 00      LDA #$00 
:0538:85 4A      STA $004A 
:053A:A9 01      LDA #$01 
:053C:85 E9      STA $00E9 
:053E:20 5B F3   JSR $F35B 
:0541:A9 00      LDA #$00 
:0543:85 29      STA $0029 
:0545:A9 40      LDA #$40      // load font into background CHR 
:0547:85 E5      STA $00E5
:0549:20 96 F2   JSR $F296 
:054C:4C 91 FF   JMP $FF91     // jump to infinite loop 

Text string @ $054F: 
00 00 00 00 02 0C 01 03 0B 00 08 0F 0C 05 00 00 00 
__ __ __ __ B  L  A  C  K  __ H  O  L  E  __ __ __

It's worth noting that none of this code is ever executed in the European version, as the triggering sprite ID was changed to #FE, which never appears during normal gameplay.