don't click here

ASM Sonic Eraser Disassembly (In Progress)

Discussion in 'Engineering & Reverse Engineering' started by RadioTails, Mar 24, 2020.

  1. RadioTails

    RadioTails

    Member
    28
    16
    3
    So does anyone like Sonic Eraser? No? Well I have decided to put together a disassembler for it. Check out redhotsonic's review for more information on this game:


    ---------------------------------------------------------------------------------------
    Sonic Eraser - Round Editor

    If you want to edit the Round (aka Puzzles), I have created a utility that can be downloaded here: http://www.romhacking.net/utilities/1528/

    [​IMG]

    You can either open the Round Data separately (the files from the Sonic Eraser Assembly), or open the rom entirely (making sure you have the correct offset and round # selected).

    I will be updating the tool, and look into converting it to C++ or Java.
    ---------------------------------------------------------------------------------------
    Sonic Eraser - Disassembly

    So I wanted to get some practice at making a disassembly, and since Sonic Eraser is a small 256Kb game, and I like puzzle games, I decided this would be a good game to make a disassembly for.

    You can download V0.6 here: http://www.mediafire.com/file/amgn6kg9xxrxvbd/Sonic_Eraser_%28Disassembler_-_V0.6%29.7z/file
    Notes:
    - While the rom can be compiled, it is missing a lot of code/data.

    If I find anything of interest, I'll post it here. The story goes this was available on the Sega Modem in Japan in 1991. It was then made available to download from Sega's website in 2004. The rom that can be found online is based on the 2004 version, as there are a lot of unused graphics that are related to the Sega Modem.

    At loc_0000024C, it actual skips out the Modem check. If you change loc_00000006 to hex 0250, it runs the checks to see if the Modem is connected. It displays a green screen, then the message below, followed by a red screen.
    [​IMG]
    The message roughly says: No Modem has been detected. Please turn off the power.

    This game is also very strange that it transfers rom data $20000 - $2BFFF to RAM $0000 - $BFFF. So a lot cases, the game refers to offsets that are in the RAM. My guess as to why they have done this was because the Modem had a limit of 128Kb, so the other half is loaded into the RAM. On the bright side, this means RAM C000 - FFFF is used for other stuff.

    All the graphics are compressed with Nemesis, and the compression is at loc_000036A4. The font is uncompressed and uses 1bpp.

    The Sound Driver is Z80 SMPS. I have found where all the Z80 data is (along with an offset where it is located in the RAM), but I need to separate the data. There's only three FM tracks in the game, but the fact it is stored in the RAM, that's not too surprising.

    ---------------------------------------------------------------------------------------
     
    Last edited: Apr 19, 2020
    • Like Like x 6
    • Useful Useful x 1
    • List
  2. Nintorch

    Nintorch

    Just another programmer. Member
    44
    33
    18
    There are a lot actually..
    Hmm.. i will check it.
    However, unused graphics? Can you show them here? :)
     
  3. RadioTails

    RadioTails

    Member
    28
    16
    3
    I know where the unused graphics are located (around hex 6300 to 8000), and these will be included in the next update. Now whether there are palette / tile placement data remains to be seen.

    One graphic looks like it would have displayed the Sega Meganet logo. Here's a bad attempt at putting it together:

    [​IMG]

    EDIT: It's the Sega Net News logo: https://segaretro.org/Sega_Net_News
     
    Last edited: Mar 24, 2020
  4. Mastered Realm

    Mastered Realm

    Member
    3,828
    553
    93
    -
  5. RadioTails

    RadioTails

    Member
    28
    16
    3
    And they couldn't be bothered to rip the unused Sega logo, which actual has palette data in the rom. :V There is code that loads it into RAM:

    loc_000006E0:
    SUBQ.w #2, ($BC20)
    LEA loc_0000070C, A0 ; Sega Logo Palette
    LEA ($F864), A1 ; RAM Address to store Palette.
    ADDA.w D0, A1
    MOVE.l (A0)+, (A1)+
    MOVE.l (A0)+, (A1)+
    MOVE.l (A0)+, (A1)+
    MOVE.l (A0)+, (A1)+
    MOVE.l (A0)+, (A1)+
    MOVE.w (A0)+, (A1)+


    But yes, the unused graphics are related to the Sega Modem. Didn't occur to check the sprite resource. Someone should really make a Cutting Room Floor section.

    I've also uploaded V0.2 where I have started to put the Round Puzzle data together. Since I am now on paid vacation, I have more time to update the assembler.
     
  6. RadioTails

    RadioTails

    Member
    28
    16
    3
    The disassembler is coming along nicely, and have uploaded V0.3
    I am currently figuring out what is code and what is data in the 20000 to 2C000. As mentioned on the first page, the data is transferred into the RAM.

    All of the text has been located, with the exception of the Staff Credits that loads if you clear ROUND 40 (these appear to be sprites, but it shouldn't be hard to locate).

    I have separated all 41 of the Round Puzzles. I plan to make a editor so you can edit the bin data, so that should be fun.

    I'm trying to figure out how the mapping values for the Book and Playing field are stored. I know they get stored at RAM FFE630, and know where the book mapping values are.
     
  7. RadioTails

    RadioTails

    Member
    28
    16
    3
    I'm finally making some quicker process. I tried using Exodus Emulator to locate the 68K Code, but I wasn't having much luck. I heard a lot of people talking about IDA Pro, so after finding a working full version, it's done a far better better job.

    I mentioned that this game stores code in the RAM. There is a whole section that contains JMP offsets. The JMP and JSR commands for jumping to code in the ROM are displayed in hex code like so:
    JMP = 4EF9 00XX XXXX
    JMP = 4EB9 00XX XXXX

    The JMP and JSR commands for jumping to code in the RAM are displayed in hex code like so:
    JMP = 4EF8 XXXX
    JMP = 4EB8 XXXX


    From what I can tell, asm68k.exe does not support JMP / JSR to RAM (unless I'm mistaken, then please let me know). So I had to make my own Constants and treat them like data:
    jtr_jmp equ $4EF8 ; Jump to RAM (JMP)
    jtr_jsr equ $4EB8 ; Jump to RAM (JSR)


    With that issue out the way, I started taking the code and compiling it as I go along. Current have 20000 to 22C16 done, and the hex code matches against the original. :)

    I also include the code for the Nemesis Compression at 36A4. Most of the code is the same as Sonic 1, but then there are cases where it jumps to the RAM, and jumps to the subroutine in the ROM.
     
    Last edited: Apr 5, 2020
  8. AURORA☆FIELDS

    AURORA☆FIELDS

    The cute one here Tech Member
    216
    24
    18
    Finland
    AMPS
    asm68k does support this, but because of a long-standing IDA bug, IDA would disassemble .w and (pc) jump instructions without those markers. asm68k does not know which to pick, so most cases it will just chose .l jump instructions, leading to incorrect code. There was a script floating around that automatically fixed this, but I don't remember where. The other option is to go manually (yes, manually) and fix all of them to have the .w thing after them.
     
  9. RadioTails

    RadioTails

    Member
    28
    16
    3
    Thanks for the help Aurora Fields! You have to enter it as so:
    JMP $FFFFFC6E.w
    JSR $FFFFFB72.w

    Now I need to locate the JSR / JMP and update them in the disassembler.
     
  10. RadioTails

    RadioTails

    Member
    28
    16
    3
    I have uploaded V0.5 of the Disassembler.

    The most interesting part is I have put together a Round Editor, which I have included in the disassembler in this location:
    Sonic Eraser (Disassembler)\round mode\Round Mode Editor
    [​IMG]
    Currently you have to open the individual file, but I plan to allow the user to enter a offset to get the data. Plus the code could be written better. For now, it does the job.

    Nothing too exciting, but I took the code from the Sonic 1 Disassembler so you can choose to have SRAM support.

    There was one section where IDA Pro didn't think it was code. So I had get IDA Pro to read that section as a separate file, and fix the location labels.

    2B03A to 2C000 is code, so I need to get that transferred over next.
    26D84 to 2aaaa are data, so I need to figure out what they are. Most likely stuff like AI, Tile Maps, Staff Credits for Round Mode, etc.
     
  11. RadioTails

    RadioTails

    Member
    28
    16
    3
    I have uploaded V0.6 of the Disassembler.

    So all the code from the 20000 to 2C000 (RAM Transfer) has been added. Yay! I just need to figure what the data blocks do. I may just split them and put them in the unknown folder for the time being so we can at least get a working rom to compile.

    I have included all the Nemesis compressed graphics, along with the uncompressed data. Have started to put the code from 200 to 1000. A lot of this course is unused, as it's stuff related to the Sega Modem.