SNES debugger hidden in a game

This is an archive of a topic from NESdev BBS, taken in mid-October 2019 before a server upgrade.
View original topic
SNES debugger hidden in a game
by on (#165858)
did anyone else see this post?

http://nintendoage.com/forum/messagevie ... did=159275

Its a hidden SNES debugger embedded in Jim Lee's WILDC.A.T.S. I've located its code, and did a (very bad, uncommented) disassemby. But, my knowledge of 65816 is weak. Does anyone out there want this?

By the way, disassembling SNES code is damned hard, every opcode is something, and the processor frequently jumps from 8-bit to 16-bit mode, so you can easily get a page full of the WRONG opcodes if you're off by 1 on the start point.

Here's a picture of it...
https://www.dropbox.com/s/djkmu8pbl1y217n/wildcats1.png
Re: SNES debugger hidden in a game
by on (#165859)
I should probably descibe it better.

Upon reading a #00 BRK, it jumps to this screen, which shows you the contents of the system RAM and the last processor status and Program Counter, etc, at the time of the crash. Also, there are ASCII tags all over the ROM, and this program somehow prints the name of the area of code that triggered the BRK.

It says "6502 IRQ/BRK vector", because I forced the Program to go there, but if another area of code caused the BRK, it would display that areas name on screen instead.

Pressing Up/Down/Left/Right and R/L buttons scrolls through the RAM.

Also, interestingly, it stores the graphics for this screen as 1 bit per pixel, and doubles each byte to produce a 2 bit per pixel version.
Re: SNES debugger hidden in a game
by on (#165860)
This discovery has been posted on The Cutting Room Floor, along with usage instructions.
Re: SNES debugger hidden in a game
by on (#165866)
I've found that https://github.com/andlabs/65816disasm does a passable job of being an automated tracing 65816 disassembler.

It's not as configurable as bisqwit's 6502-targetting clever-disasm, but seems to work.
Re: SNES debugger hidden in a game
by on (#165881)
The same screen (with slightly different text) appears in a lot of Beam Software's other SNES games (MechWarrior / BattleTech comes to mind). I've also found pretty similar crash screens in a handful of other games, more or less all of which have the same functionality.

If you want to see something really neat, a few years ago I discovered that GT Racing (and a couple of other games developed by Lenar) has a full-blown machine code monitor in the ROM, designed to run on the SNES and be used via a 9600 baud terminal connection.

I made a small assembly hack that changed the SNES-side connection handling to send/receive text via RAM instead, and Xkeeper made a Lua script for snes9x-rr that, together, made it possible to connect to the emulated SNES via TCP, enter commands to the monitor and see the results in the terminal. It's not a very useful debugger anymore since running from a ROM makes some of the functions no longer work as intended, but it was cool to see something that you didn't usually see on consoles.
Re: SNES debugger hidden in a game
by on (#165889)
That is very cool.

I also found vestigial (but working) Hu7 uploader/debugger code in these PC-Engine games:
Code:
game                    ver.    address

Atomic Robo Kid         1.10    $F400
Deep Blue               1.00    $F800
Drop Rock Hora Hora     1.10    $F400
Drop Off (U)            1.20    $F200
F-1 Pilot               1.00    $F800
Gai Flame               1.20    $F200
Gaia no Monshou         1.00    $F800
Mahjong Goku Special    1.10    $F400
Niko Niko Pun           1.10    $F400
Out Run                 1.10    $F400
P-47                    1.00    $F800
Titan           (? possibly 1.10) ~$F400


Version 1.20 of the debugger, disassembled: http://www.chrismcovell.com/texts/chris_hu7_dis.asm

The Hu7 interface is parallel-port based, and has versions for FC and SFC, I'll bet. If you look through the ROMs of Hudson-developed FC/SFC games for "DB rom" or other header text, maybe you'll find the same routines.
Re: SNES debugger hidden in a game
by on (#165934)
No luck searching either "Hu7" or "DB rom" in the No-Intro SNES set, and I don't have nearly a large enough collection of NES ROMs to try doing that at the moment.