Announcement

Collapse
No announcement yet.

Need some M68k assembly help

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Need some M68k assembly help

    Hoping someone here can help me with this. The ROM is Outlander (U) [!].bin I found a password at $05FB32. The password is PSYCHOSLAPHEAD. When I enter the password, it's not accepted. I found the routine that checks to see if that specific password has been entered, but that routine is never accessed. I changed some code so it runs the routine and accepts the password, but I found that all it does is accept any random password. I'm guessing I inserted my new code in the wrong place? Or maybe there's some controller buttons I need to press?

    Anyways, here's some of the info I have so far...

    The routine that checks that password starts at $012054...

    01:2054 48 E7 MOVEM.L {d0-a7}[c0 c0],-(A7) A0=00FF0B6A A1=00FF03D0 A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFF2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    01:2058 41 F9 LEA ($0005FB32),A0 A0=00FF0B6A A1=00FF03D0 A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    01:205E B3 08 CMPM.B (A0)+,(A1)+ A0=0005FB32 A1=00FF03D0 A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    01:2060 66 00 BNE #$001C [01:207E] A0=0005FB33 A1=00FF03D1 A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    01:2064 0C 10 CMPI.B #$FF,(A0) A0=0005FB33 A1=00FF03D1 A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    01:2068 67 00 BEQ #$0008 [01:2072] A0=0005FB33 A1=00FF03D1 A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnzvC

    01:206C 60 00 BRA #$FFFFFFF0 [01:205E] A0=0005FB33 A1=00FF03D1 A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnzvC

    This routine is NOT run when entering the password. Here is the new code I inserted to get the routine to run...

    00:2180 4E F9 JMP ($00012054)

    As you can see above, at 01:205E it compares A0 (0005FB32 = start of password in ROM) to A1 (00FF03D0 = RAM address for first letter of password entered). Then it compares 0005FB33 to 00FF03D1, and so on. At 01:2064, it determines when the end of the password has been reached and branches to 01:2072. Here's that assembly...

    01:2072 3D 7C MOVE.w #$0001,$07C6(A6) A0=0005FB40 A1=00FF03DE A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    01:2078 4E B9 JSR ($000056CA) A0=0005FB40 A1=00FF03DE A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFE2 D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnzvc

    00:56CA 4A 6E TST.W $0A52(A6) A0=0005FB40 A1=00FF03DE A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFDE D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnzvc

    00:56CE 66 08 BNE #$08 [00:56D8] A0=0005FB40 A1=00FF03DE A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFDE D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    00:56D0 33 FC MOVE.w #$0045,($00FF0B8E) A0=0005FB40 A1=00FF03DE A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFDE D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnZvc

    00:56D8 3D 7C MOVE.w #$0001,$0412(A6) A0=0005FB40 A1=00FF03DE A2=00FF2F5E A3=00C00000 A4=0000BB28 A5=00C00004 A6=00FF0000 A7=00FFFFDE D0=00000005 D1=00000000 D2=00000007 D3=0000000E D4=4BB40002 D5=00360000 D6=FFFF00D4 D7=0000000D xnzvc

    00:56DE 4E 75 RTS


    It's entirely possible that the password doesn't do anything, but it seems unlikely that they would have the password, and have a routine specifically for that password. Can anyone figure out how to activate that password? I'd appreciate any help.
    Last edited by Tony H; 07-14-2010, 11:49:38 AM.
    The Code Hut: http://codehut.gshi.org/
    Tags: None
  • #2
    FF0412 set to 1 looks like the most important piece of the puzzle. FF0A52 is the SFX on/off setting on the title screen, and FF0B8E is a sound effect index to play (index $45). The normal password entry uses $3C, which can be replaced with $45 to hear the comparison. The FF0412 address is the only real change from the routines executing. There's a bunch of short subroutines in the 005xxx range, some of which check FF0412. Those checks just seem to be involved with whether to play SFX or not. Maybe FF0412 disables both music and SFX? If so, it doesn't look promising for the password doing anything. I also have to wonder if a bunch of those $005xxx subs are unused leftovers as well.

    Comment

    • #3
      Thanks for taking a look JLukas. There's a beta version of the game, but I get the same results with that.
      The Code Hut: http://codehut.gshi.org/

      Comment

      • #4
        Ahh, I missed another bit being set, and now it makes sense. Right before the JSR to 005xxx it sets FF07C6 to $0001. There's two checks in the game for that address: one for driving, and one for action (side scrolling) mode. In either mode, press Start on controller 2, and health is restored to full (FF0760 set to $01FF)

        Pro Action Replay
        FF0760:01FF Infinite health

        Comment

        • #5
          Awesome! Too bad the programmers disabled it in the final game. I'll have to see if I can figure out how to enable it with fewer than the 3 Game Genie codes my new code requires (00:2180 4E F9 JMP ($00012054)). If it's gonna take 3 GG codes, then I might as well just overwrite some existing code with something that will force a value of 0001 into FF07C6... that would probably only take 3 GG codes, and you wouldn't have to worry about entering a password.

          Anyways, thanks for figuring that out. Another Genesis mystery solved.
          The Code Hut: http://codehut.gshi.org/

          Comment

          • #6
            An update with good news, it's not disabled. No cheat cart required for PSYCHOSLAPHEAD. While everything matches up to it being typed in the password screen - the amount of characters fits perfectly, the text is stored right after BAD PASSWORD / PASSWORD ACCEPTED strings, and the memory address range matches typed digits - that's not where it goes. It must typed as the player name for a new high score.

            And there was an even bigger problem preventing the discovery. In order to reach the code block quoted in the first post, the game uses a 61 00 BSR #$034E. Something like that won't show up in a pointer search, and causes the trail to go cold instantly. It's the same situation with BRL on the SNES.

            Now, for the SNES version:

            Enter STARBUG1 at the high score name entry screen for a credits roll.

            The Genesis PSYCHOSLAPHEAD cheat is instead SMEGHEAD. The funny part is that they even obfuscated it by subtracting $41 from each byte, while the STARBUG1 check next to it is in plain ASCII. Anyway, after typing it, the name is changed to CHEATED and 7E07E9 set to $01. That's all it does, because of a programming error. After the high score screen, the game jumps back to the company logo...where RAM is cleared, wiping out the bit setting.

            Using GG/PAR codes to get past that error will restore it. In side scrolling action areas press Start on controller 2 to restore health, just like the Genesis version. Also, Outlander on the title screen is changed to be transparent.

            Super Nintendo

            Outlander

            Pro Action Replay

            7E07E901 Restore health to full in side scrolling mode by pressing Start on controller 2

            7E0404FF + 7E040501 Infinite health in side scrolling mode

            Comment

            • #7
              Very interesting. I didn't even know there was a high score screen where you could enter your name. Thanks again for all your help on this. Good stuff. Did you happen to see the text in the ROM starting at $0029A4? Kinda funny. Stuff that the development team wrote while making the game.

              For any fans of the game, here are some new Game Genie codes for Outlander, as well as some of my older ones. Note that the infinite gas GG code here on GSHI doesn't work. The new one below does work.

              Outlander (Genesis)

              A26T-AA4J
              Infinite gas. NOTE: Turn code off at the last town.


              92CA-AGC0
              Start a new game with twice as much car health (AKA engine oil).


              AJ2T-AA4L + AD1A-AAC0
              Take almost no damage while driving. Code protects you from everything
              except guys shooting at your windshield.


              P2CA-BJVT
              Start a new game with the super charger (makes your car go much faster).


              P2CA-BAV2
              Start a new game with lots of nitro. Press A+B+C together for nitro boost.


              P2CA-BAVY
              Start a new game with lots of Surface to Air Missiles (SAMs). Press "C" three
              times to fire a missile. The missiles will only fire if there is a helicopter
              nearby.


              ABJT-AABA
              Infinite shotgun ammo when walking (as long as you have at least one shell).


              Here are some of my older Game Genie codes for Outlander....


              AK0A-AA9E
              Infinite health (when walking).


              AJ2T-AA4L
              Take less damage while driving car.


              EACA-ALCL
              Car starts with max machine gun ammo.


              ALVA-AA86
              Car has infinite machine gun ammo.


              YACA-AACT
              Car starts with max shotgun ammo.


              ALXA-AA70
              Car has infinite shotgun ammo.


              AJ2A-AA9R
              Infinite nitro (once you have it).
              The Code Hut: http://codehut.gshi.org/

              Comment

              • #8
                One more code for Outlander...

                AAYT-AAE6
                Lets you see stuff the development team wrote while making the game. When
                you get to the title screen, don't press any buttons. After 15 seconds, it
                will show you controller info, then the credits, then the stuff the development
                team wrote.
                Last edited by Tony H; 07-24-2010, 01:04:31 PM.
                The Code Hut: http://codehut.gshi.org/

                Comment

                • #9
                  These have been added to the database...
                  http://OldGameHacking.com/
                  http://www.youtube.com/user/DreamcastVideos

                  Comment

                  Previous template Next
                  Working...
                  X