Register - Login
Views: 99865074
 Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies 		05-04-22 05:48:06 PM
Jul - The Cutting Room Floor - Gimmick! New poll - New thread - New reply
Next newer thread | Next older thread
Hiccup
Member
Level: 57


Posts: 273/772
EXP: 1475701
For next: 10227

Since: 05-19-09


Since last post: 112 days
Last activity: 9 hours
Posted on 12-24-12 10:48:34 AM (last edited by Hiccup at 12-24-12 10:50:09 AM) Link | Quote
I am not familiar with the game so I will put this here.
Romhacking.net - Utilities - Gimmick! Editor
Somebody might be able to find stuff with this.

Dunno if this should go on the page?
Jul -- Cutting Room Floor: Weird Discoveries

There is also a report of an anti-piracy function on Gimmick's! article's talk page.

____________________
New Super Mario Bros Beta Replica
Rick
M'Lord, there's a knife in your head!
Level: 152


Posts: 6506/7540
EXP: 43728931
For next: 572729

Since: 02-15-10

From: Maine

Since last post: 8 days
Last activity: 7 days
Posted on 12-26-12 01:27:23 AM Link | Quote
I poked around the level editor a bit and didn't see anything unusual in the levels. I'll poke around it more though and see what else I can find.

Any reason why it's stickied, outta curiousity? Something big happening?

____________________


_______________________
| 6506 | 13494 | 1044 | 13 |
RahanAkero

The End of the World
Level: 57


Posts: 659/756
EXP: 1401134
For next: 84794

Since: 11-25-09

From: Staten Island, NY

Since last post: 265 days
Last activity: 1 day
Posted on 12-26-12 01:53:35 AM (last edited by RahanAkero at 12-26-12 01:54:22 AM) Link | Quote
I may have fatfingered and stickied it on my phone, unless someone else stuck it. D:

EDIT: Unstuck, unless someone wishes to correct me. :o

____________________
Hiccup
Member
Level: 57


Posts: 277/772
EXP: 1475701
For next: 10227

Since: 05-19-09


Since last post: 112 days
Last activity: 9 hours
Posted on 12-26-12 10:06:09 AM Link | Quote
I was not even aware of that.
:/

____________________
New Super Mario Bros Beta Replica
Rachel Mae

Creature of Chaos
Level: 141


Posts: 5282/5929
EXP: 33608439
For next: 511575

Since: 07-03-07

Pronouns: she/her
From: Foxglen

Since last post: 22 days
Last activity: 1 day
Posted on 12-27-12 09:52:47 AM (last edited by BMF54123 at 12-27-12 10:10:54 AM) Link | Quote


Well, look what I found!

The game does indeed have a copy protection routine, which is only triggered if the intro text is tampered with (as is the case with the pirated version, Shui Guan Pipe) AND the player makes it to the secret Stage 7. This prevents unsuspecting players from being able to advance to the final boss and see the good ending.

At 0x20031 in the ROM is the following code:

08:8021:BD 50 03 LDA $0350,X // load sprite ID from active sprite list
08:8024:C9 AA CMP #$AA // is it #AA?
08:8026:D0 05 BNE $802D // if no, carry on
08:8028:20 21 8F JSR $8F21 // if yes, jump to copy protection routine

This code is run whenever any sprites (aside from Gimmick himself) are on the screen. The sprite ID it's looking for, #AA, is the little black bug crawling on the castle in stage 7:



As soon as the bug is loaded into RAM, this code is run, at 0x20F31:

08:8F21:A0 1B LDY #$1B // load ROM bank #1B (intro text/routines)
08:8F23:20 5E F0 JSR $F05E
08:8F26:A2 00 LDX #$00
08:8F28:BD 5F 8F LDA $8F5F,X // load address from ROM check list
08:8F2B:85 01 STA $0001 // store in temp RAM
08:8F2D:E8 INX
08:8F2E:BD 5F 8F LDA $8F5F,X
08:8F31:85 00 STA $0000
08:8F33:E8 INX
08:8F34:A0 00 LDY #$00
08:8F36:B1 00 LDA ($00),Y // load byte from address in temp RAM
08:8F38:DD 5F 8F CMP $8F5F,X // compare with ROM check list
08:8F3B:D0 0D BNE $8F4A // if it doesn't match, UH OH! BUSTED!
08:8F3D:E8 INX // otherwise, continue to next byte/address
08:8F3E:C8 INY
08:8F3F:C0 04 CPY #$04
08:8F41:D0 F3 BNE $8F36
08:8F43:E0 1E CPX #$1E
08:8F45:90 E1 BCC $8F28
08:8F47:A9 AA LDA #$AA // if ROM checks out, reload sprite ID #AA
08:8F49:60 RTS // return to sprite processing

ROM check list @ 0x20F6F (addresses underlined, in big endian format):
BB 9F FB 9B 1C 9C // pointers to "GIMMICK!" and "© 1992 SUNSOFT"
BC 3C 14 0F 0D 0F // "TOMO" (unused string)
A8 70 0F C9 04 D0 // part of code that checks whether last text page has been displayed
E0 A4 A0 1B 20 51 // code that loads and jumps to intro text bank
E0 A8 F0 20 00 80

This code checks a few strings and pointers in the bank where the intro text and display routines are stored, as well as some code in the fixed bank. If any of these bytes are changed (e.g. to skip or alter the text), the following routine is activated, at 0x20F5A:

08:8F4A:A2 00 LDX #$00 // UH OH! BUSTED!
08:8F4C:BD 7D 8F LDA $8F7D,X // load encrypted byte
08:8F4F:49 AC EOR #$AC // do some simple decryption on it...
08:8F51:38 SEC
08:8F52:E9 07 SBC #$07
08:8F54:9D 00 05 STA $0500,X // ...and store it in RAM
08:8F57:E8 INX
08:8F58:E0 60 CPX #$60 // continue until all 96 bytes are decrypted...
08:8F5A:90 F0 BCC $8F4C
08:8F5C:4C 00 05 JMP $0500 // ...and jump to $0500 (start of decrypted routine in RAM)

This is where things get really interesting. At 0x20F8D is a 96-byte block of seemingly innocuous data, which in reality is an XOR-encrypted routine! This is decrypted and copied to $0500-$055F in RAM, where it is then executed. This is what displays the BLACK HOLE text and locks up the game.

Here is the decrypted routine, with the important bits commented:

:0500:A9 FF LDA #$FF
:0502:85 29 STA $0029
:0504:20 9F F2 JSR $F29F
:0507:A9 00 LDA #$00
:0509:85 FD STA $00FD
:050B:85 FC STA $00FC
:050D:A5 FF LDA $00FF
:050F:29 FC AND #$FC
:0511:85 FF STA $00FF
:0513:A9 00 LDA #$00 // blank screen
:0515:A2 20 LDX #$20
:0517:A0 00 LDY #$00
:0519:20 2E F3 JSR $F32E
:051C:AD 02 20 LDA $2002
:051F:A9 21 LDA #$21 // set screen address $21A7
:0521:8D 06 20 STA $2006
:0524:A9 A7 LDA #$A7
:0526:8D 06 20 STA $2006
:0529:A2 00 LDX #$00
:052B:BD 4F 05 LDA $054F,X // load BLACK HOLE text
:052E:8D 07 20 STA $2007 // write to screen
:0531:E8 INX
:0532:E0 11 CPX #$11
:0534:D0 F5 BNE $052B
:0536:A9 00 LDA #$00
:0538:85 4A STA $004A
:053A:A9 01 LDA #$01
:053C:85 E9 STA $00E9
:053E:20 5B F3 JSR $F35B
:0541:A9 00 LDA #$00
:0543:85 29 STA $0029
:0545:A9 40 LDA #$40 // load font into background CHR
:0547:85 E5 STA $00E5
:0549:20 96 F2 JSR $F296
:054C:4C 91 FF JMP $FF91 // jump to infinite loop

Text string @ $054F:
00 00 00 00 02 0C 01 03 0B 00 08 0F 0C 05 00 00 00
__ __ __ __ B L A C K __ H O L E __ __ __

It's worth noting that none of this code is ever executed in the European version, as the triggering sprite ID was changed to #FE, which never appears during normal gameplay.

____________________
Raccoon Sam
Member
free speech disabled
Level: 32


Posts: 139/187
EXP: 187864
For next: 18578

Since: 07-25-07

From: Somewhat

Since last post: 4.5 years
Last activity: 1.1 years
Posted on 12-27-12 10:19:06 AM Link | Quote
Very thorough, interesting and informative. —Applause—
Next newer thread | Next older thread
Jul - The Cutting Room Floor - Gimmick! New poll - New thread - New reply


Rusted Logic

Acmlmboard - commit 47be4dc [2021-08-23]
©2000-2022 Acmlm, Xkeeper, Kaito Sinclaire, et al.

30 database queries, 1 query cache hits.
Query execution time: 0.319725 seconds
Script execution time: 0.013089 seconds
Total render time: 0.332814 seconds