AtariAge Forums: AtariAge Forums -> Source code found in ROMs

Jump to content

Subscribe to For whom it may concern        RSS Feed

Source code found in ROMs

09 November 2008
Icon 16 Comments
Tags: Programming, Damned Tag Clouds
Posted by Thomas Jentzsch Icon
I was a bit bored this weekend, so I had a closer look to some games. A lot of games, especially from Taiwan, contain garbage data, which is unsed by the game itself. Often this garbage contains traces from the game development, sometimes even snippets of source code. In this entry I will post some source code findings.
Back to For whom it may concern →

16 Comments On This Entry

Page 1 of 1

Thomas Jentzsch Icon

Sun Nov 9, 2008 3:31 PM
#1: Words Attack (Sancho)

The following code can be found at offset 0x6ae in the ROM. You only have to AND all bytes with 0x7f.

Short, but lots of labels used. An original? Or an advanced disassembly? :ponder: 

************************
*TAG DELETE CONTROL SUB*
************************
TDCS LDY BUFF3
  LDA GUNINDT,Y
  TAY
  LDA TAGX1,Y
  CLC
  ADC #$0B
  STA BUFF3
*****
TDCSA LDA TAGX1,X
  STA BUFF4
  CLC
  ADC #$20
  STA BUFF5
  CLC
  ADC #$20
  STA BUFF6
  LDX #$02
TDCSA2 LDA BUFF4,X 
  CMP #$A0 
  BCC TDCSA1
  CLC
  SBC #$A0 
TDCSA1 STA BUFF4,X
  DEX
  BPL TDCSA2
  LDX #$02
TDCSA5 LDA BUFF4,X
  CMP #$98
  BCS TDCSA3
  CMP BUFF3
  BCS TDCSA3
  CLC
  ADC #$09
  CMP BUFF3
  BCS TDCSA4
TDCSA3 DEX
  BNE TDCSA5
TDCSA4 STX BUFF7
********
  LDX BUFF2
  LDA TAGF1,X
  AND #$07
  BEQ TDCS1
  LDX BUFF7
  CMP
0

Thomas Jentzsch Icon

Sun Nov 9, 2008 3:44 PM
#2: Time Race (Suntek, Rainbow Vision)

Code starts at offset 0x4da. AND 0x7f was used again to make it visible.

This code doesn't use any labels, so maybe it is an disassembly. :ponder:

 
  LDA $D9
  CMP $9A
  BCS L4EB
  LDA $87,X
  STA $BA
  LDA $80,X
  BEQ L4F1
  INX
  BNE L4F1
L4EB LDA #$BC
  STA $BA
  LDA #$00
L4F1 STA $02
  STA $1C
  LDA $BA
  STA $07
  JMP L4A1
*
* JOB OVER DISPLAY
*
  ASL $33	   ; this is interesting, a DiStella disassembly shows that we have 3 bytes of data here
  ADC $A5	   ; .byte $06, $33, $65
  LDY $85	   ; lda $a4
  PHP		   ; sta COLUPF
  LDX #$00
L505 LDA $8E,X
  STA $02
  STA $0D
  LDA $91,X
  STA $0E
  LDA $94,X
  STA $0F
  INX
L514 DEC $D9
  LDA $D9
  BEQ L53B
  LSR A
  BCC L505 
  LDA $D1
  CMP $D9
  BCC L52E
  LDA ($A1),Y
  STA $BA
  LDA ($9F),Y
  BEQ L530
  INY
  BNE L530
L52E LDA #$00
L530 STA $02
  STA $1B
  LDA $BA
  STA $06
  JMP L514
L53B STA $02
  LDA $A4
  STA $09
  LDX #$00
  STX $0D
  STX $0E
  STX $0F
  LDX #$0A
  LDA $E8
  BPL L560
  LDY $A7
L551 LDA #$F9
  DEY
  BPL L558
  LDA #$F1
L558 STA $AE,X
  DEX
  DEX
  BPL L551
  BMI L56B
L560 LDA #$83
  CLC
L563 STA $AE,X
  ADC #$05
  DEX
  DEX
  BPL L563
L56B LDY $A6
  STY $BA
  LDX #$00
  LDY #$04
  JSR L59F
  LDX #$0F
L578 STA $02
  DEX 
  BNE L578
  JMP L009
L580 LDX #$FF
L582 INX
  SEC
  SBC #$34
  BPL L582
  RTS
L589 STA $02
  SEC
L58C SBC #$0F
  BCS L58C
  EOR #$0F
  ASL A
  ASL A
  ASL A
  ASL A
  ADC #$90
  STA $10,X
  STA $02
  STA $20,X
  RTS
L59F STX $1B
  STX $1C
  STX $02
  LDA #$3B
  JSR L589
  LDA #$43
  INX
  JSR L589
  LDX #$03
  STX $04
  STX $05
  LDX #$01
  STX $25
  STX $26
  STA $02
  STA $2A
  LDA $BA
  STA $06
  STA $07
L5C6 LDA ($AE),Y
  STA $BA
  STA $02
  LDA ($B8),Y
  STA $1B
  LDA ($B6),Y
  STA $1C
  LDA ($B4),Y
  STA $1B
  LDA ($B2),Y
  TAX
  LDA ($B0),Y
  STY $BB
  LDY $BA
  STX $1C
  STA $1B
  STY $1C
  STY $1B
  LDY $BB
  DEY 
  BPL L5C6
  LDA #$00
  STA $25
  STA $26
  STA $1B
  STA $1C
  RTS
L5F9 LDA #$00
L5FB DEX
  STA $00,X
  CPX #$4F
  BCS L5FB
  LDY #$2A
L604 LDA $F706,Y
  STA $0080,Y
  DEY 
  BPL L604
  RTS
*
* ACOUN
0

Thomas Jentzsch Icon

Sun Nov 9, 2008 3:53 PM
#3: Year 1999

Again, no labels. Last of the three games I found which require AND 0x7f. Offset 0x559.

	  $C0
  BEQ L594
  LDA $0C
  ASL A
  BCS L594
  LDA $B5
  BNE L56B
  LDA $C0
  ORA #$08
  STA $C0
L56B LDA #$08
  STA $15
  LDA $84
  CLC
  ADC $D8
  STA $87
  LDA #$08
  STA $8A
L57A LDA $8A
  CLC
  ADC $D1
  STA $8A
  CMP #$B8
  BCS L552
  LSR A
  LSR A
  LSR A
  LSR A
  EOR #$0F
  SEC
  SBC #$05
  STA $17
  AND #$FC
  STA $19
L594 LDA $CB
  NOP
  BNE L59C
  JMP $F66F
L59C LDA $C0
  BNE L5B7
  LDA $0280
  AND #$10
  BNE L5DA
  LDA #$00
  STA $C2
  LDA #$E0
  STA $C0
  LDA #$50
  STA $84
  LDA $D3
  STA $C7
L5B7 LDA $B5
  BEQ L5BE
  JMP L66F
L5BE LDA $0280
  LDY $84
  ASL A
  BCS L5CF
  CPY #$8C
  BCS L5D8
  INY
  INY
  JMP L5D8
L5CF ASL A
  BCS L5D8
  CPY #$0A
  BCC L5D8
  DEY
  DEY
L5D8 STY $84
L5DA LDA $88
  BEQ L5F9
  LDA #$0C
  STA $16
  LDA $88
  SEC
  SBC $D1 
  STA $88 
  CMP #$07
  BCS L613
  LDA $A7
  STA $A4
  LDA #$00
  STA $88
  STA $1A
  STA $16
L5F9 DEC $A4
  BNE L613
  LDA #$0F
  STA $CD
  LDA $80
  CLC 
  ADC #$08
  STA $85
  LDA $82
  SEC
  SBC #$08
  BCS L611
  LDA #$00
L611 STA $88
L613 LDA $CC
  BEQ L622
  DEC $CC
  LDA $CC
  STA $1A
  ASL A
  EOR #$FF
  STA $18
L622 LDA $89
  BEQ L646
  LDA #$0C
  STA $16
  LDA $D1
  LSR A
  STA $9C
  LDA $89
  SEC
  SBC $9C
  STA $89
  CMP #$07
  BCS L660
  LDA $A7
  STA $A5
  LDA #$00
  STA $89
  STA $1A
  STA $16
L646 DEC $A5
  BNE L660
  LDA #$0C
  STA $CC
  LDA $81
  CLC
  ADC #$08
  STA $86
  LDA $83
  SEC 
  SBC #$08
  BCS L65E
  LDA #$00
L65E STA
0

vdub_bobby Icon

Mon Nov 10, 2008 10:06 PM
That's pretty weird...I'm amazed that you could spot that. :)
0

Thomas Jentzsch Icon

Tue Nov 11, 2008 10:12 AM

vdub_bobby, on Tue Nov 11, 2008 5:06 AM, said:

That's pretty weird...I'm amazed that you could spot that. :)

Happened by accident. I was comparing several Space Jockey clones (incl. Time Race) due to the Air Raid thread and found that one Time Race was 4k instead of 2k. The superfluous bytes showed some kind of obvious pattern, some of them in three bytes groups. The rest was easy.
0

SpiceWare Icon

Tue Nov 11, 2008 10:25 AM
That's pretty wild. Do they correspond to code in the game they were found in?
0

Thomas Jentzsch Icon

Tue Nov 11, 2008 11:22 AM

SpiceWare, on Tue Nov 11, 2008 5:25 PM, said:

That's pretty wild. Do they correspond to code in the game they were found in?

Yes, 100%. I gave the offset of the code to the ROM in my posts above.
0

Thomas Jentzsch Icon

Tue Nov 11, 2008 11:44 AM
#4: Time Race (Goliath - Hot Shot)

Same "trick", offset 0xa0b. No labels, few comments.

L589
*13 23 DISPLAY BULLET
  LDX #$03
  LDA $D6
  JSR L589
*14 24 DISPLAY ENIMY BULLET
  INX
  LDA $D4
  JSR L589
  STA $02
  STA $2A
  STA $02
  STA $2B
  LDA #$05
  STA $05
  LDA #$0E
  STA $08
  LDX #$00
  STX $04
  STX $02
  STX $0A
  LDA #$03
  STA $D7
  LDA #$99
  STA $D9
L438 LDA $D7
  BEQ L49E
  TAY
  LDA $D9
  AND #$FE
  CMP $D5
  PHP
  CMP $9A
  BCS L453
  LDA $87,X
  STA $BA
  LDA $80,X
  BEQ L451
  INX
L451 STA $BB
L453 LDA $00C1,Y
  STA $02

At the very beginning, remains from the development system can be found:
.v.&.D.----- NEXT OBJECT FILE NAME IS 
SOURCE FILE: ** OOPS! DOS ERROR! CODE=

And a lot of shorter strings, including mnemonics.
0

Thomas Jentzsch Icon

Wed Nov 12, 2008 4:39 PM
#5: Cabbage Patch Kids [a4]

Mainly definitions with interesting comments, only very few bytes of codes. (AND $7f again)
  $6C,$FE,$FE,$BF,$7E,$18,$3E,$06,$00
*
BEE2
  DFB $6C,$FE,$FE,$BF,$7E,$30,$F8,$40,$00
*
********************************

  CONTAINS FLDPTR FOR BOTTOM
*
*
********************************
*RAM USED FOR TIMEBAR AND APPLE BANDS
*RAM RESERVED...$99--$9F...
*
*
TIMEBAR = $99;LENGTH OF BONUS TIME ON TIME BAR
APPLPOS = $9A;APPLE H POSITION
APPLMASK = $9B;MASK TO HIDE APPLE IF NOT NEEDED
*
*
********************************
*
*RAM RESERVED FOR SPRITE A
*CABBAGE PATCH GIRL
*
*RAM RESERVED.....$A0--$AF.....
*
*
ADAT = $A0;INDIRECT POINTER FOR GIRLS DATA
ACOL = $A2;INDIRECT POINTER FOR GIRLS COLOR
AIMG = $A4;IMAGE POINTER
AORD = $A5;IMAGE DISPLAY DIRECTION
*
AHPOS = $A6;GIRLS HORIZ POSITION
AVPOS = $A7;GIRLS VERTICAL POSITION
*
GIRLSTS = $A8;GIRLS STATUS BYTE
JUMPWORD = $A9;JUMP STATUS WORD
JUMPTIM = $AA;JUMPTIMER
*
********************************
*
*RAM RESERVED FOR OTHER OBJECT (BOTH BOTTOM AND TOP
*
*RAM RESERVED...$B0--$BF...(TOP)
*
BDAT = $B0;INDIRECT POINTER FOR OBJECT
BCOL = $B2;INDIRECT POINTER FOR COLOR
BCOUNT = $B4;STARTING LINE FOR B 0BJECT
BIMG = $B5;IMAGE POINTER
BCTL = $B6;CONTROL BYTE
BHPOS = $B7;HORIZ POSITION
BVPOS = $B8;VERTICAL POSITION
REPOWRD = $B9;FLAG TO TELL IF REPOSIT OF B IN
;MIDDLE
*
*
*RAM RESERVED...$C0--$CF...(BOTTOM)
*
B2DAT = $C0;INDIRECT POINTER FOR OBJECT
B2COL = $C2;INDIRECT POINTER FOR COLOR
B2IMG = $C4;IMAGE POINTER
B2CTL = $C5;CO

Last lines repeated at the very end again:
		 C0;INDIRECT POINTER FOR OBJECT
B2COL = $C2;INDIRECT POINTER FOR COLOR
B2IMG = $C4;IMAGE POINTER
B2CTL = $C5;CO
0

Thomas Jentzsch Icon

Wed Nov 12, 2008 4:45 PM
#6: Cabbage Patch Kids [a5]

Same game again, other version. Some code this time.
   EC FRAME1
  LDA #0
  STA: ATBORD
  NOP
*
  LDY APOINT
  BEQ NOA4
  DEC APOINT
  LDA (ACOL),Y
  STA ATACOL
  LDA (ADAT),Y
  STA ATADAT
*
LINE5
  LDY BPOINT
  BEQ NOB5
  LDA (BDAT),Y
  STA ATBDAT
  LDA (BCOL),Y
  STA ATBCOL
  DEY
  LDA (BDAT),Y
  TAX
  DEY
  STY BPOINT
*
MIDLIN5
  INC FRAME1
  DEC FRAME1
  NOP
  LDA DUMMY
*
  LDY APOINT
  BEQ NOA6
  DEC APOINT
  LDA (ACOL),Y
  STA ATACOL
  LDA (ADAT),Y
  STA ATADAT
LINE6
  STX BDAT
  INC FRAME1
  DEC FRAME1
  INC FRAME1
  DEC FRAME1
  INC FRAME1
  DEC FRAME1
  NOP
  NOP
  NOP
  LDX BOTFLD
  STX FLDPTR
  JMP ENDMID
*
*
*
NOA6
  INC FRAME1
  DEC FRAME1
  NOP
  NOP
  LDA DUMMY
  JMP LINE6
*
*
*
*
FINROAD
  NOP
  LDA #0
  STA ATBDAT
*
  LDX #2
  LDA SHADOWCL
  STA ATACOL
  LDA SHADOW
*
FINRDLP
  STA ATWAIT
  STA ATADAT;DOING SHADOW
*
  LDY FLDPTR
  LDA FCOL,Y
  STA ATFCOL
  LDA FR0,Y
  STA ATFR0
  LDA FR1,Y
  STA ATFR1
  LDA FR2,Y
  STA ATFR2;CONTINUE DISPLAYING FIELD
*
  DEC FL
0

Thomas Jentzsch Icon

Thu Nov 13, 2008 3:23 PM
#7: Lost Luggage

Here we find different code in both versions. No decoding necessary.

Lost Luggage (1981) (Apollo - Games by Apollo, Ed Salvo) (AP-2004).bin:
Linenumbers!? :o
	 E,$7E,$24,$3C
9540 BLKSUIT .BYTE 0,0,0,0,0,0,0,0,0,0
9550  .BYTE 0,0,0,0,0,0
9560 SUIT1 .BYTE $00,$3C,$3C,$3C,$3C,$3C,$18
9570  .BYTE $00,$00,$00,$00,$00,$00,$00
9580 SUIT2 .BYTE $00,$18,$18,$18,$18,$18,$00
9590  .BYTE $00,$00,$00,$00,$00,$00,$00
9600 SUIT3 .BYTE $00,$18,$18,$3C,$24,$66,$42
9610  .BYT

  ,$24,$24,$24,$24,$24,$24
9670

*= $77FD
9880 ENDSCRN JMP SCRNEND
9890

"Lost Luggage (1981) (Apollo - Games by Apollo, Ed Salvo) (AP-2004) [a].bin"
Lots of small pieces.
  LSR A
  LSR A
  STA SNDTYPE1

  LDA #SUITCASE&255
  STA INTL

	A #$60
  BCS CONTINU

  .BYTE 0,0,0,0,0,0
SUIT1 .BYT

SUIT3 .BYTE $00,$18,$18,$3C,$24,$66,$42
  .BYTE $00,$00,$00,$00,$00,$00,$00
SUIT4 .BYTE $00,$

BRIEF .BYTE $00,$00,$00,$00,$00,$18,$18
  .BYTE $3C,$7E,$7E,$00,$00,$00,$00
SOCKS .BYTE $00,$44,$CC,$66,
0

SpiceWare Icon

Thu Nov 13, 2008 3:30 PM
The LADS compiler I used on the C= 128 had line numbers. You entered the code just as if it were a BASIC program, using the standard load/save "filename",8.
0

Thomas Jentzsch Icon

Thu Nov 13, 2008 3:35 PM
#8 Squoosh (the later version)

Obviously some Atari 800 code in here. 
.OR $F1 
ADDRRAML .BS 1;SHARED RAM BEGINNING ADDRESS 
ADDRRAMH .BS 1
ADDR800L .BS 1;ATARI 800 RAM BEGINNING ADDRESS  
ADDR800H .BS 1
BYTECNTL .BS 1;BYTE COUNT TO TRANSFER
BYTECNTH .BS 1	
UNUSED .BS 1 
WORKRAML .BS 1	
WORKRAMH .BS 1 
WORK800L .BS 1 
WORK800H .BS 1	
WORKCNTL .BS 1	
WORKCNTH .BS 1	
HOLD .BS 1 
PORTA .EQ $D300;PORT A DATA	
PORTB .EQ $D301;PORT B DATA	
PACTL .EQ $D302;PORT A DIRECTION 
PBCTL .EQ $D303;PORT B DIRECTION 
.OR $600 
  LDA $F4 
  BNE START 
  LDA #$30
  STA $F4 
  LDA #$10 
  STA $F6
START LDX #5
INITLOOP LDA ADDRRAML,X 
  STA WORKRAML,X
  DEX 
  BPL INITLOOP 
  LDA PACTL 
  AND #$FB
  STA PACTL;SET PORT A FOR DIRECTION REGISTER 
  LDA PBCTL 
  AND #$FB
  STA PBCTL;SET PORT B FOR DIRECTION REGISTER 
  STX PORTA;SET

  BNE RAMLOPA	 
  DEC WORKCNTH
  BNE RAMLOPA 
  LDX #$FF 
  STX PORTB;
0

Thomas Jentzsch Icon

Thu Nov 13, 2008 4:00 PM
#9 Pompeii

Maybe the labels and comments help to understand how the game was meant? :ponder: 

SCRLP1
  STA STRTLINE;<<<<<<<<<<<<
  NOP
  NOP 
  STA WORK
  LDA (DNROCK1),Y 
  STA BULLETR
  LDA MNT1,Y 
  STA HIRESL

   TA COLORR
  LDY #6 
;"VOLCANO LOOP 2"

  STA HIRESL 
  LDA VOLC2,Y 
  STA LOWRES3 
  LDA LAVA2,Y

  STA SHIFTCLR
  LDA #$E0
  STA LOWRES3 
  LDY #8 
  LDA #$30
  ST

IRESR 
  STA WORK
  NOP
  NOP 
  NOP 
  NOP 
  NOP
  LDA (DNROCK3),Y 
  STA BULLETR 
  STX HICNTLL 
  JSR DELAY12 
  LDA #0 
  STA HICNTLL 
  DEY 
  BNE SCRLP3 
; "BACKGROUND COLOR"
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; 
;BACKGROUND COLOR TABLE
0

Thomas Jentzsch Icon

Fri Nov 14, 2008 1:00 PM

SpiceWare, on Thu Nov 13, 2008 10:30 PM, said:

The LADS compiler I used on the C= 128 had line numbers. You entered the code just as if it were a BASIC program, using the standard load/save "filename",8.

Makese sense.

It seems that Apollo used a mixture between linenumbered and non-linenumbered development environments.
0

EricBall Icon

Thu Jun 18, 2009 12:23 PM
I wonder if this is more an artifact of the assembler than anything intentional. The assembler uses a 4K block of memory for the final output which previously contained the ASM code (post some kind of pre-assembler which explains the lack of comments and constants).
0
Page 1 of 1

Trackbacks for this entry [ Trackback URL ]

There are no Trackbacks for this entry