Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Discussion of development of software for any "obsolete" computer or video game system. See the WSdev wiki and ObscureDev wiki for more information on certain platforms.
Post Reply
3gengames
Formerly 65024U
Posts: 2284
Joined: Sat Mar 27, 2010 12:57 pm

Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Post by 3gengames »

Hey NESDevers:

After disassembling Duck Hunt, I rewrote my tool to work on more platforms and processors and be more expandable, and I'm now going to disassemble Defender by Williams Electronics Inc. If you're interested in the code, here is the github where the code will be deposited. Here is a link to my Twitch, my username is LinguinePenguiny, and I will be disassembling every line live on stream, while explaining it if I have people watching. I'll be available for commentary, help, and teaching, BSing, anything!

I also won't disassemble anything if not streaming with Defender, unlike Duck Hunt where I did some off stream to prevent boredom, but missed a bunch of cool/large findings.

I'm going to start streaming here in an hour or two from this post, and will be starting from the beginning, so come on in and watch/chat if you want. I'll happily teach you guys 6809 asm, it's very similar to 6502, but much more flexible/easier to program, you'll really enjoy the 6809.

Thanks for reading!
User avatar
dink
Posts: 157
Joined: Sun Jan 12, 2020 8:42 pm

Re: Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Post by dink »

drat, I missed it :(
3gengames
Formerly 65024U
Posts: 2284
Joined: Sat Mar 27, 2010 12:57 pm

Re: Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Post by 3gengames »

dink wrote: Fri May 01, 2020 8:31 pm drat, I missed it :(
Haha, follow me, I'm only through like 1% of the games code so far. I'll be doing many more streams! Also, you can follow the github of the source I'm making if you wanna see some code comments and whatnot if you miss the stream. :)

For now I'm trying to get together an intro for a youtube channel where after I'm done reverse engineering the games, I go over everything in general detail, pointing things out in the code and whatnot. There will be more streams probably going again next week, but maybe sooner. Making my youtube intro is going extremely slow. I'm doing an NES game opening up and zooming into it, in 3D, and the 3D modeling is taking ages as I'm learning FreeCAD, too. I might get frustrated and start streaming again before finishing up the youtube stuff.
3gengames
Formerly 65024U
Posts: 2284
Joined: Sat Mar 27, 2010 12:57 pm

Re: Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Post by 3gengames »

Bumping this. Made some good progress, you guys might wanna check it out. Also gonna stream the next few hours if you guys wanna watch.
3gengames
Formerly 65024U
Posts: 2284
Joined: Sat Mar 27, 2010 12:57 pm

Re: Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Post by 3gengames »

I didn't stream the disassembly after the first sessions sadly, just wasn't pulling viewers and I was disassembling it sporadically.

But, it's basically done now!

Code Link

Here's a rundown of the best parts of this code that I posted on a 6809 group elsewhere.
One really cool thing about Defender is it basically implements a form of linked lists for enemies/objects in the game world (among other things), along with a multitasking OS handler, which also is based on lists. Basically, all objects first bytes are a pointer to the next object in the list. This goes for enemy lists, tasks, everything. To jump objects they usually load the working object pointer with its self, E.g. LDX X, LDU U, etc. It is really wild IMO. It also does sound queuing in software for priority control, which is also cool.

This is the RED ROM version, but I plan on doing all others sometime in the future.

For now, some labels to note:

CORE_GAME/TASK_LOOP?
GFX_SET_* (Sets area to 0x00)
GFX_MOVE_* (Puts BMP data to screen.)
GAME_START (Goes to in-game)
DEFENDER_BOOTUP (Very first lines of code ran, rug pattern/ROM check.)
SYSTEM_PANIC
DEFENDER_GAME_INIT,ATTRACT
Any label with the world "CALLBACK" in it.

There's even bugs, like lines 324 with a branch to middle of JSR instruction for the system panic handler, clobbering a register unintended. And at 2594 where they use the less efficient indexed address mode, instead of the register only version. (This happens in a few places, actually.) There is also stack issues even in this final ROM version. I'm not going to say where they are, you can find them yourself as an easter egg hunt. I did mark them with comments, so don't search for it specifically if you want to find it yourself!
Here's a breakdown of the binary.

I made it in one large binary ROM file. Defender has stable code at 0xD000 to 0xFFFF, and banks in code/data in bank 0xC000 to 0xCFFF. I put the set bank first in the ROM, followed by the banks after it.

Defender's hardware is basically a bitmapped screen from 0x0000 to 0x97FF. 4 bits per pixel for color. So the 6809 not only does the game management, but also is in charge of the graphics manipulation.

0xD000 to 0xFFFF has all the main code, most enemy logic, some GFX (Even bitmaps?), etc. Bank 1 has a few enemy callbacks and the attract screensm and scanner code. Bank 2 has most of the other bitmaps and text to screen code. Bank 3 has SRAM routings, bookkeeping, and system admin menus. Bank 7 has the dying explosion code and the land generation/manipulation code.
I also found their copy protection in this version. It works as follows:
How it works is during the Williams title drawing,it records the final drawing position sitting in X and putting it to $A168. They then check that in the star code to make sure the value matches at that location, the value #$6245. They move the value into place sneakily through some of the callbacks, storing it as the X (Screen drawing position) register to $A168 when hitting the EOF marker for the logo drawing, and then loading the U register way before storing it through an offset much later to the address $A0B8. The index is to disguise the address really used. I found this by noticing I had memory accounted for in the entire range from 0xA000 basically, but not $A0B8. This is why, even with credits, the game will not start directly on first boot until the title screen finishes. It is required to finish to place that value in the appropriate place. It also is a good idea to do so, since if someone just replaces the intro screen with their own, it also activate the code and crash the game when replaced.
IMO, this game is a great example of coding. It's really well put together, dynamic, and just executed really well. Any questions about the code, let me know.

Code Link
User avatar
dink
Posts: 157
Joined: Sun Jan 12, 2020 8:42 pm

Re: Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Post by dink »

Thanks for sharing this, very awesome RE'ing you did there. :)

A few months back I was debugging a cpu-core bug for Krull (Gottlieb, 1983) for the FBNeo & MAME emulators, where the game would spawn invisible enemies in certain situations. I found the game uses really wild linked-lists for enemies which seem almost how you explained the enemy lists in Defender. In the second/third levels the game is capable of spawning a shedload of enemies in certain situations, which impressed me for a 1983-era game.
After many, many.... days of debugging I came to find that the emulated NEG opcode (f6 18, f7 18) was setting NEC V20-style flags when the game expected i8086-style NEG.
A few days after fixing this, I theorized that NEC V20's broken NEG opcode was probably(most likely? but unconfirmed) the reason Scorched Earth wouldn't run on my Commodore Colt (NEC v20) pc back in '90, yet worked just fine on my buddy's Tandy 1000 (i8086).

best regards,
- dink
3gengames
Formerly 65024U
Posts: 2284
Joined: Sat Mar 27, 2010 12:57 pm

Re: Reverse Engineering DEFENDER (Arcade, 1980) live on Twitch

Post by 3gengames »

That sounds like a nightmare, haha. Interesting CPU, I never heard of it before. I'm not much of a Intel-type, fan, though. More 6502 and 6809 as I don't hate myself enough to learn the Intel-like stuff. :twisted: :roll:
Post Reply