Page 1 of 1

Grumps Dream Course cart

Posted: Tue Sep 13, 2016 4:40 pm
by Guilty
Firstly, yeah I know there's a subreddit for this romhack, and they all are being pansies about legal concerns. Whatever, it's not like I'm selling this thing.


I'm trying to play a romhack of Kirby's Dream Course on my SNES! The romhack is applied to the Japanese version. I'm trying to do this without damaging any original PCBs. But there's a multilayer copy protection getting in my way! Darn! I think the best way to proceed would be to edit the rom and skip the copyright checks.

I'm not helpless with 6502, but I've never done any spectacular romhacking before. Never touched an sfc file, to boot. But I feel like this is very possible. I just don't know what tools I ought to use.
6502 disassemblers? Nonspecific 6502 assembler? Snes debugging emulator? I think I'll need all these. My targets are:

1) SRAM size check. From what I can tell the game only checks the SRAM on boot, so I should be able to just JMP right past the check. I have no idea what the SNES sets the PC to on boot though. I'd also need to disassemble the hex, because I'm not a wizard. What tools do I need to find the boot routine? What's a recommended disassembler?

2) Checksum. This seems trickier. I'd imagine my cart will fail this test since Kirby Bowl is 2MB and my cart is 4MB. I imagine this is done by getting a checksum from the rom and then doing a simple comparison to X. So, I think I'd need to find the routine that handles the checksum, figure out what my cart evaluates to, and then replace X with that. I figure this would be really simple with a debugger, I could just step through the checksum routine. No idea how to find that, but I do know of an action replay code that sets off the copyright protection, so could I trace this back?

ANY input valued!

Re: Grumps Dream Course cart

Posted: Tue Sep 13, 2016 5:16 pm
by Myask
Note that the SNES uses a later chip in the 6502 family, the 65c816, iirc. (actually a Ricoh 5a22 with some extra bits and bobs)

Re: Grumps Dream Course cart

Posted: Tue Sep 13, 2016 10:05 pm
by Guilty
Well that seems important! Thank you! At a glance, that doesn't seem to change too much. It looks like the 65c816's instruction set is very similar to the 6502. Now I have a better idea of what to google.

Re: Grumps Dream Course cart

Posted: Tue Sep 13, 2016 10:45 pm
by Myask
I'm sure yoshi will be along any moment to recommend WDC books, but is one source for just opcodes. I half-recall an opcode grid that color-coded which processor added the instruction, but…I can't seem to find it.

Re: Grumps Dream Course cart

Posted: Wed Sep 14, 2016 4:00 pm
by Guilty
I've gotten my hands on Geiger's Snes9x Debugger, and I have a disassembler (which seems to be unreliable) called Dispel. I can step through the code now!

I've used HxD to change the SRAM size in my ROM to match the SRAM size that INL's snes flashboard would provide. Which is to say, I've changed the SRAM size from 64 Kb to 256 Kb.

Theoretically, the only thing I need to do now is step through my edited ROM and the original ROM side by side until the two differ. That shouldn't be too hard... the copy protection checks on boot, so this couldn't be too hard?

EDIT: Got it. I actually didn't find much in stepping through the code, but I did find an excellent tool called ucon64. I had to run it in DOS box, but it took out the SRAM check and we're all good now.