Jul -- The Cutting Room Floor: Gimmick!

Hiccup
Member
Level: 57

Posts: 273/772
EXP: 1474036
For next: 11892

Since: 05-19-09

Since last post: 101 days
Last activity: 2 days

Posted on 12-24-12 10:48:34 AM (last edited by Hiccup at 12-24-12 10:50:09 AM)

Link | Quote

I am not familiar with the game so I will put this here.
Romhacking.net - Utilities - Gimmick! Editor
Somebody might be able to find stuff with this.

Dunno if this should go on the page?
Jul -- Cutting Room Floor: Weird Discoveries

There is also a report of an anti-piracy function on Gimmick's! article's talk page.

____________________
New Super Mario Bros Beta Replica

Rick
M'Lord, there's a knife in your head!
Level: 152

Posts: 6506/7539
EXP: 43667889
For next: 633771

Since: 02-15-10

From: Maine

Since last post: 113 days
Last activity: 45 days

Posted on 12-26-12 01:27:23 AM

Link | Quote

I poked around the level editor a bit and didn't see anything unusual in the levels. I'll poke around it more though and see what else I can find.

Any reason why it's stickied, outta curiousity? Something big happening?

____________________

_______________________
| 6506 | 13494 | 1044 | 13 |

RahanAkero

The End of the World
Level: 57

Posts: 659/756
EXP: 1399487
For next: 86441

Since: 11-25-09

From: Staten Island, NY

Since last post: 254 days
Last activity: 15 days

Posted on 12-26-12 01:53:35 AM (last edited by RahanAkero at 12-26-12 01:54:22 AM)

Link | Quote

I may have fatfingered and stickied it on my phone, unless someone else stuck it. D:

EDIT: Unstuck, unless someone wishes to correct me. :o

____________________

Hiccup
Member
Level: 57

Posts: 277/772
EXP: 1474036
For next: 11892

Since: 05-19-09

Since last post: 101 days
Last activity: 2 days

Posted on 12-26-12 10:06:09 AM

Link | Quote

I was not even aware of that.
:/

____________________
New Super Mario Bros Beta Replica

Rachel Mae

Creature of Chaos
Level: 141

Posts: 5282/5929
EXP: 33575322
For next: 544692

Since: 07-03-07

Pronouns: she/her
From: Foxglen

Since last post: 11 days
Last activity: 2 days

Posted on 12-27-12 09:52:47 AM (last edited by BMF54123 at 12-27-12 10:10:54 AM)

Link | Quote

Well, look what I found!

The game does indeed have a copy protection routine, which is only triggered if the intro text is tampered with (as is the case with the pirated version, Shui Guan Pipe) AND the player makes it to the secret Stage 7. This prevents unsuspecting players from being able to advance to the final boss and see the good ending.

At 0x20031 in the ROM is the following code:

08:8021:BD 50 03 LDA $0350,X // load sprite ID from active sprite list

                                        08:8024:C9 AA CMP #$AA // is it #AA?

                                        08:8026:D0 05 BNE $802D // if no, carry on

                                        08:8028:20 21 8F JSR $8F21 // if yes, jump to copy protection routine

This code is run whenever any sprites (aside from Gimmick himself) are on the screen. The sprite ID it's looking for, #AA, is the little black bug crawling on the castle in stage 7:

Seems innocent enough.

As soon as the bug is loaded into RAM, this code is run, at 0x20F31:

08:8F21:A0 1B LDY #$1B // load ROM bank #1B (intro text/routines)

                                        08:8F23:20 5E F0 JSR $F05E

                                        08:8F26:A2 00 LDX #$00

                                        08:8F28:BD 5F 8F LDA $8F5F,X // load address from ROM check list

                                        08:8F2B:85 01 STA $0001 // store in temp RAM

                                        08:8F2D:E8 INX

                                        08:8F2E:BD 5F 8F LDA $8F5F,X

                                        08:8F31:85 00 STA $0000

                                        08:8F33:E8 INX

                                        08:8F34:A0 00 LDY #$00

                                        08:8F36:B1 00 LDA ($00),Y // load byte from address in temp RAM

                                        08:8F38:DD 5F 8F CMP $8F5F,X // compare with ROM check list

                                        08:8F3B:D0 0D BNE $8F4A // if it doesn't match, UH OH! BUSTED!

                                        08:8F3D:E8 INX // otherwise, continue to next byte/address

                                        08:8F3E:C8 INY

                                        08:8F3F:C0 04 CPY #$04

                                        08:8F41:D0 F3 BNE $8F36

                                        08:8F43:E0 1E CPX #$1E

                                        08:8F45:90 E1 BCC $8F28

                                        08:8F47:A9 AA LDA #$AA // if ROM checks out, reload sprite ID #AA

                                        08:8F49:60 RTS // return to sprite processing

                                        

                                        ROM check list @ 0x20F6F (addresses underlined, in big endian format):

                                        BB 9F FB 9B 1C 9C // pointers to "GIMMICK!" and "© 1992 SUNSOFT"

                                        BC 3C 14 0F 0D 0F // "TOMO" (unused string)

                                        A8 70 0F C9 04 D0 // part of code that checks whether last text page has been displayed

                                        E0 A4 A0 1B 20 51 // code that loads and jumps to intro text bank

                                        E0 A8 F0 20 00 80

This code checks a few strings and pointers in the bank where the intro text and display routines are stored, as well as some code in the fixed bank. If any of these bytes are changed (e.g. to skip or alter the text), the following routine is activated, at 0x20F5A:

08:8F4A:A2 00 LDX #$00 // UH OH! BUSTED!

                                        08:8F4C:BD 7D 8F LDA $8F7D,X // load encrypted byte

                                        08:8F4F:49 AC EOR #$AC // do some simple decryption on it...

                                        08:8F51:38 SEC

                                        08:8F52:E9 07 SBC #$07

                                        08:8F54:9D 00 05 STA $0500,X // ...and store it in RAM

                                        08:8F57:E8 INX

                                        08:8F58:E0 60 CPX #$60 // continue until all 96 bytes are decrypted...

                                        08:8F5A:90 F0 BCC $8F4C

                                        08:8F5C:4C 00 05 JMP $0500 // ...and jump to $0500 (start of decrypted routine in RAM)

This is where things get really interesting. At 0x20F8D is a 96-byte block of seemingly innocuous data, which in reality is an XOR-encrypted routine! This is decrypted and copied to $0500-$055F in RAM, where it is then executed. This is what displays the BLACK HOLE text and locks up the game.

Here is the decrypted routine, with the important bits commented:

:0500:A9 FF LDA #$FF

                                        :0502:85 29 STA $0029

                                        :0504:20 9F F2 JSR $F29F

                                        :0507:A9 00 LDA #$00

                                        :0509:85 FD STA $00FD

                                        :050B:85 FC STA $00FC

                                        :050D:A5 FF LDA $00FF

                                        :050F:29 FC AND #$FC

                                        :0511:85 FF STA $00FF

                                        :0513:A9 00 LDA #$00 // blank screen

                                        :0515:A2 20 LDX #$20

                                        :0517:A0 00 LDY #$00

                                        :0519:20 2E F3 JSR $F32E

                                        :051C:AD 02 20 LDA $2002

                                        :051F:A9 21 LDA #$21 // set screen address $21A7

                                        :0521:8D 06 20 STA $2006

                                        :0524:A9 A7 LDA #$A7

                                        :0526:8D 06 20 STA $2006

                                        :0529:A2 00 LDX #$00

                                        :052B:BD 4F 05 LDA $054F,X // load BLACK HOLE text

                                        :052E:8D 07 20 STA $2007 // write to screen

                                        :0531:E8 INX

                                        :0532:E0 11 CPX #$11

                                        :0534:D0 F5 BNE $052B

                                        :0536:A9 00 LDA #$00

                                        :0538:85 4A STA $004A

                                        :053A:A9 01 LDA #$01

                                        :053C:85 E9 STA $00E9

                                        :053E:20 5B F3 JSR $F35B

                                        :0541:A9 00 LDA #$00

                                        :0543:85 29 STA $0029

                                        :0545:A9 40 LDA #$40 // load font into background CHR

                                        :0547:85 E5 STA $00E5

                                        :0549:20 96 F2 JSR $F296

                                        :054C:4C 91 FF JMP $FF91 // jump to infinite loop

                                        

                                        Text string @ $054F:

                                        00 00 00 00 02 0C 01 03 0B 00 08 0F 0C 05 00 00 00

                                        __ __ __ __ B L A C K __ H O L E __ __ __

It's worth noting that none of this code is ever executed in the European version, as the triggering sprite ID was changed to #FE, which never appears during normal gameplay.

____________________

Raccoon Sam
Member
free speech disabled
Level: 32

Posts: 139/187
EXP: 187679
For next: 18763

Since: 07-25-07

From: Somewhat

Since last post: 4.4 years
Last activity: 1.0 years

Posted on 12-27-12 10:19:06 AM

Link | Quote

Very thorough, interesting and informative. —Applause—

Register - Login
Views: 99382676	Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies	04-24-22 01:36:02 AM

Query execution time:	0.110512 seconds
Script execution time:	0.012640 seconds
Total render time:	0.123152 seconds