don't click here

Sonic 2 and Knuckles

Discussion in 'Engineering & Reverse Engineering' started by Quickman, Jan 24, 2004.

Thread Status:
Not open for further replies.
  1. Jan 24, 2004 #1
    Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    I've patched Sonic 2 with Esrael's Knuckles in Sonic 2 IPS patch available at Sonicology, and have found a bug. When you get to the end of EHZ2, the game freezes up. I've taken a screenshot of the 68k debug screen in the hope that I can fix this bug.

    UPDATE: I've found the offending command - it's located at $C098. Here's the disassembly.

    Code (Text):
    1. 0x4EB9 0x0030 0x1068 - JSR 0x301068
    This calls a subroutine found at $301068 which of course doesn't exist. The result? The game reads it as lots of zeroes. Here's a disassembly.

    Code (Text):
    1. 0x0000 0x0000 - ORI.B 0x0,00
    Of course, it keeps reading zeroes and keeps spewing out ORI commands, and never exists the subroutine because there's no RTS code. The result is a game which has hung up.

    Now I need the location in the modified ROM of the EHZ boss so I can change the JSR command to point to the correct subroutine.
     
  2. Jan 24, 2004 #2
    LocalH

    LocalH

    roxoring your soxors Tech Member
    3,310
    31
    28
    wouldn't you like to know
    v17
    Look at the code at $1068 in S&KUPMEM.BIN (since S&KUPMEM.BIN starts at $300000). Then find the same code in the Esrael-hacked S2&K ROM, and replace $301068 with his location for that code.

    And technically, the game didn't freeze up, it just entered a sort of infinite loop. The PC likely increments until it wraps past $3FFFFF, going through loads of ORs, which in this case are effectively NOPs. Then, it starts executing whatever is at $400000 (which, if anything, is definitely not code). Of course, I'm being a bit pedantic, yeah the 68k didn't technically freeze up, but effectively the game is frozen.

    Edit: I did a bit if checking, and here's the code at $301068 (not an entire routine, but enough to help):

    Code (Text):
    1. 00001068 4A38 FFE0                TST.B     $FFE0
    2. 0000106C 6606                     BNE       $00001074
    3. 0000106E 11C0 FFE0                MOVE.B    D0,$FFE0
    4. 00001072 4E75                     RTS
    5. 00001074 11C0 FFE4                MOVE.B    D0,$FFE4
    6. 00001078 4E75                     RTS
    7. 0000107A 11C0 FFE1                MOVE.B    D0,$FFE1
    8. 0000107E 4E75                     RTS
    9. 00001080 11C0 FFE2                MOVE.B    D0,$FFE2
    10. 00001084 4E75                     RTS
    I found a match for these bytes in Sonic 2 Final at $135E:
    Code (Text):
    1. 0000135E 4A38 FFE0                TST.B     $FFE0
    2. 00001362 6606                     BNE       $0000136A
    3. 00001364 11C0 FFE0                MOVE.B    D0,$FFE0
    4. 00001368 4E75                     RTS
    5. 0000136A 11C0 FFE4                MOVE.B    D0,$FFE4
    6. 0000136E 4E75                     RTS
    7. 00001370 11C0 FFE1                MOVE.B    D0,$FFE1
    8. 00001374 4E75                     RTS
    9. 00001376 11C0 FFE2                MOVE.B    D0,$FFE2
    10. 0000137A 4E75                     RTS
    And it's the only match. So, change $301068 to $00135E and it should work. Matter of fact, I have that hack on my HD, so I'm going to test it now.

    Edit: Scrap that, I did the search for those bytes on the 1MB S2&K and found them at $1068. So just change the $30 in the address to $00. Will try this now.

    Son of edit: Changed top description to reference Esrael's hack instead of S2 Final.
     
  3. Jan 24, 2004 #3
    LocalH

    LocalH

    roxoring your soxors Tech Member
    3,310
    31
    28
    wouldn't you like to know
    v17
    Crap. I fixed this, and then it seems to have halted at $301328 according to Gens. Looks like there's more to fix :/

    Edit: The JSR $00301328 is at $C0AA in Esrael's hack. Found at $1328 in S&KUPMEM.BIN (with enough surrounding info to make it easier to find in Esrael's hack):

    Code (Text):
    1. 0000131A 5345                     SUBQ.W    #$1,D5
    2. 0000131C 3387 0000                MOVE.W    D7,$00(A1,D0.W)
    3. 00001320 5440                     ADDQ.W    #$2,D0
    4. 00001322 51CD FFF8                DBRA      D5,$0000131C
    5. 00001326 60BA                     BRA       $000012E2
    6. 00001328 48E7 0060                MOVEM.L   A1-A2,-(A7)
    7. 0000132C 43F9 0033A3FC            LEA       $0033A3FC,A1
    8. 00001332 D040                     ADD.W     D0,D0
    (I grabbed some before $1328 because of that LEA at $132C, which would have a different argument and thus not be easily found). Found one match in Esrael's hack at $131A. Fixed it, and WTF, the game jumps to $0200, which is the infinite loop before the start vector. Goddamnit...

    Meh, I'm through for now, I've gotta get ready for work in a bit. If we can figure out where the stray jump to $0200 is (can't be that hard, it'd probably either be a JMP or a JSR), then we can proceed further.

    Edit: Also just noticed that the debug sprite doesn't show up, although I was able to place rings and monitors like normal. This is both Esrael's hack, and the ones I modified above.
     
  4. Jan 24, 2004 #4
    Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    Thanks for that. My searches of Esrael's hack have turned up no JMP or JSR commands to $200. I'm at an impasse, unless there's another possibility.
     
  5. Jan 24, 2004 #5
    LocalH

    LocalH

    roxoring your soxors Tech Member
    3,310
    31
    28
    wouldn't you like to know
    v17
    Oh, Goddamnit, I think I fucked that up. I'll check later, but I think I might have changed the $00301328 to $0000131A, which wasn't the start of the routine that was actually being jumped to, but rather a few bytes before. Try changing it to $00001328 instead (I'll do this later).
     
  6. Jan 24, 2004 #6
    Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    Okay, changing it to $1328 works, however there is yet another fucked-up subroutine call at $C0D2, calling $313D78. Change this to $013D78.
     
  7. Jan 24, 2004 #7
    Esrael

    Esrael

    Neto Tech Member
    304
    257
    63
    Brazil, São Paulo, Guarulhos
    Neto Assembler Editor / Sonic 2 Delta / Neto MD-DOS
    Thanks. I 'll fix it.
    You can fix it chaging the followings bytes:
    $C098 to 4EB900001068
    $C0AA to 4EB900001328
    $C0D2 to 4EB900013D78
    $C0F8 to 4EB900001068
     
  8. Jan 24, 2004 #8
    Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    You posted that at the exact same moment that I fixed the last one. Heh.

    Nonetheless, thank you for making my life easier by putting Knuckles in Sonic 2 first.
     
  9. Jan 25, 2004 #9
    Esrael

    Esrael

    Neto Tech Member
    304
    257
    63
    Brazil, São Paulo, Guarulhos
    Neto Assembler Editor / Sonic 2 Delta / Neto MD-DOS
  10. Jan 25, 2004 #10
    Quickman

    Quickman

    be attitude for gains Tech Member
    5,595
    18
    18
    :x
    omg porjcet
    Have you fixed the two bugs you have shown there in the fixed IPS patch? I'd like to know before I use it.
     
  11. Jan 25, 2004 #11
    Esrael

    Esrael

    Neto Tech Member
    304
    257
    63
    Brazil, São Paulo, Guarulhos
    Neto Assembler Editor / Sonic 2 Delta / Neto MD-DOS
    Yes. I have fixed all bugs found here.
     
Thread Status:
Not open for further replies.