Talk:Batman Returns (NES)
|
|
Hello,
I vividly remember the anti-piracy feature preventing me from completing the game in an emulator as a kid. Now, I have removed every mention of Konami in the game (both in the CHR bank and in the PRG banks, it doesn't appear in the title screen anymore etc) but I can't seem to trigger the copy control. Would it be possible to get more precise information about it?
Before you ask my goal is to make a romhack that disables it.
Thanks — The preceding unsigned comment was added by MetHy (talk • contribs)
- here all code blocks that checks for data integrity, then code blocks that checks the prot flags
The first routine called from helicopter object handler once when appears on screen, check for KONAMI logo tilemap partially, set flag 10 in common game flags var
BANK3:BEF2 _prot_test_KONAMI_logo: BANK3:BEF2 A0 00 LDY #0 BANK3:BEF4 84 02 STY byte_2 BANK3:BEF6 loc_53EF6: BANK3:BEF6 B9 7F FA LDA _tlm_pak01+8,Y BANK3:BEF9 18 CLC BANK3:BEFA 65 02 ADC byte_2 BANK3:BEFC 85 02 STA byte_2 BANK3:BEFE 98 TYA BANK3:BEFF 18 CLC BANK3:BF00 69 08 ADC #8 BANK3:BF02 A8 TAY BANK3:BF03 C0 40 CPY #$40 BANK3:BF05 90 EF BCC loc_53EF6 BANK3:BF07 A5 02 LDA byte_2 BANK3:BF09 C9 88 CMP #$88 BANK3:BF0B F0 08 BEQ locret_53F15 BANK3:BF0D AD 07 01 LDA _game_mode_flags BANK3:BF10 09 10 ORA #$10 BANK3:BF12 8D 07 01 STA _game_mode_flags BANK3:BF15 locret_53F15: BANK3:BF15 60 RTS
The second one called from one of the object handlers on Ivory tower boss fight. Checks for part of the BATMAN logo tile map. set the same game flag 10.
BANK7:FAD2 _prot_test_BATNAM_titleA: BANK7:FAD2 A0 00 LDY #0 BANK7:FAD4 84 02 STY byte_2 BANK7:FAD6 loc_B7AD6: BANK7:FAD6 B9 9A 99 LDA _tlm_pak03+7,Y BANK7:FAD9 18 CLC BANK7:FADA 65 02 ADC byte_2 BANK7:FADC 85 02 STA byte_2 BANK7:FADE C8 INY BANK7:FADF C0 13 CPY #$13 BANK7:FAE1 90 F3 BCC loc_B7AD6 BANK7:FAE3 A5 02 LDA byte_2 BANK7:FAE5 C9 98 CMP #$98 BANK7:FAE7 F0 08 BEQ locret_B7AF1 BANK7:FAE9 AD 07 01 LDA _game_mode_flags BANK7:FAEC 09 10 ORA #$10 BANK7:FAEE 8D 07 01 STA _game_mode_flags BANK7:FAF1 locret_B7AF1: BANK7:FAF1 60 RTS
accidentally me found another two integrity checks lol, here another portion of BATMAN title screen tilemap check with different protection flag raised. this routine called from another object handler, at the stage 2 where are some platforms on the water.
BANK7:DDEA _prot_test_BATNAM_titleB: BANK7:DDEA A0 00 LDY #0 BANK7:DDEC 84 02 STY byte_2 BANK7:DDEE BANK7:DDEE loc_B5DEE: BANK7:DDEE B9 6B 9A LDA _tlm_pak03+$D8,Y BANK7:DDF1 18 CLC BANK7:DDF2 65 02 ADC byte_2 BANK7:DDF4 85 02 STA byte_2 BANK7:DDF6 C8 INY BANK7:DDF7 C0 0D CPY #$D BANK7:DDF9 90 F3 BCC loc_B5DEE BANK7:DDFB A5 02 LDA byte_2 BANK7:DDFD C9 C3 CMP #$C3 BANK7:DDFF F0 02 BEQ locret_B5E03 BANK7:DE01 E6 C4 INC _prot_difficult_flag BANK7:DE03 locret_B5E03: BANK7:DE03 60 RTS
the last one checks another portion of title BATMAN logo when the title screen is displayed, raised the same prot flag as previous code.
BANK7:F294 _prot_test_BATNAM_titleC: BANK7:F294 B9 59 81 LDA byte_98159,Y BANK7:F297 18 CLC BANK7:F298 65 00 ADC word_0 BANK7:F29A 85 00 STA word_0 BANK7:F29C A5 01 LDA word_0+1 BANK7:F29E 69 00 ADC #0 BANK7:F2A0 85 01 STA word_0+1 BANK7:F2A2 C8 INY BANK7:F2A3 C0 29 CPY #$29 BANK7:F2A5 90 ED BCC _prot_test_BATNAM_titleC BANK7:F2A7 A5 00 LDA word_0 BANK7:F2A9 C9 FC CMP #$FC BANK7:F2AB D0 06 BNE loc_B72B3 BANK7:F2AD A5 01 LDA word_0+1 BANK7:F2AF C9 08 CMP #8 BANK7:F2B1 F0 04 BEQ locret_B72B7 BANK7:F2B3 loc_B72B3: BANK7:F2B3 A9 01 LDA #1 BANK7:F2B5 85 C4 STA _prot_difficult_flag
this is part of the hit registration routine, word_0 contains damage hitpoints to player when hit by enemy. if protection triggered, damage multiplied twice.
BANK7:E151 85 00 STA word_0 BANK7:E153 A5 C4 LDA _prot_difficult_flag BANK7:E155 F0 02 BEQ loc_B6159 BANK7:E157 06 00 ASL word_0
here is the special conversation flag raised if 10 game flag is set (prot detected), then game thinks you already listen to the conversation but you don't
BANK2:BD7F loc_3BD7F: BANK2:BD7F AD 07 01 LDA _game_mode_flags BANK2:BD82 29 10 AND #$10 BANK2:BD84 F0 08 BEQ loc_3BD8E BANK2:BD86 AD 19 01 LDA _special_level3_1_flags BANK2:BD89 09 05 ORA #5 BANK2:BD8B 8D 19 01 STA _special_level3_1_flags BANK2:BD8E loc_3BD8E: BANK2:BD8E AD 19 01 LDA _special_level3_1_flags
password decode portion that prevent the passwords with prot flags to be valid.
BANK5:8145 loc_80145: BANK5:8145 A2 09 LDX #9 BANK5:8147 20 86 81 JSR _pass_get_raw BANK5:814A 8D 07 01 STA _game_mode_flags BANK5:814D 29 10 AND #$10 BANK5:814F D0 ED BNE loc_8013E BANK5:8151 E6 23 INC _sub_sub_idx
— The preceding unsigned comment was added by Cah4e3 (talk • contribs)
This is absolutely amazing, a lot more than I expected, thanks a lot! Turns out I wasn't very far from finding some of these but I was a little bit confused between the roles of $0107 and $0119.
As for that penultimate one, the code that sets a flag to $0119, I remember seeing this code and from my understanding it's also used as part of regular gameplay (without triggering the copy protection) once the player has recorded the conversation, so it shouldn't be messed with. I'll make a romhack that disables the copy protection, and this just gave me the idea, another one that activates the double damage as a kind of hard mode. I'll let you know!
Edit : Here is a small correction about the code located at bank 2 BD7F "here is the special conversation flag raised if 10 game flag is set (prot detected), then game thinks you already listen to the conversation but you don't" From my understanding this is not exactly correct. What happens is: - the stage goes on like normal, the player listens to the conversation with Penguin - once you're back onto the first street, when you're about to reach the exit window, the game checks if flag 10 on $0107 (copy protection flag) is on, and if it is, changes $0109 to make sure the exit window remains closed when it should be opened (thus, the stage can't be completed and loops forever)
This is how I understand it anyway, let me know what you think.
Edit 2: also, what do you mean by " this effect is permanent unless you reset the console or enter any valid password." ? As far as I understand it, valid passwords can not work as long as the flag is raised; so I think the effect is permanent until you reset the console.
- the game will STORE the protection flag into the password itself. it is not the console with prot flag raised preventing you to input a password, but the password generated when prot flag was raised will not register. when you input the password, prot flag in _game_mode_flags overwites with value encoded in password, not that you have in your game's memory. so if you already have flag raised somehow during the game, but after game over input the clean password taken from the consloe with no prot flag triggeredm (with no prot flag stored), then your prot flag in memory will be reset!--Cah4e3 (talk)
Edit 3: Hey, I released a romhack that disables the copy protection like I said I would. I credited you for the documentation, thanks again! http://www.romhacking.net/hacks/5747/
You're right about the valid passwords resetting the copy protection flag, I must have done something wrong when I thought that couldn't happen. I edited the text in the main page to change the description for Stage 3-1 though, it's pretty easy to test: add 10 to the value in $0107 and play the stage, you'll see that the conversation with Penguin goes on like normal but after that the exit window remains closed. The routine at Bank 2 BD7F does that, it gets triggered in the street just before the window appears; in fact, if you make the screen scroll fast enough before the female enemy appears, you'll see that the window is opened, but once the enemy is dead, it closes.
