New Gens mod (and some 32x info)

[Tony Hedstrom]

There's a new modded version of Gens out that is pretty damn cool. It's version 9.5b. It has the memory tracer and assembly logger from "Gens Tracer", and it also has an improved RAM searching feature that lets you search for normal "FF" type RAM addresses, and it will search for Sega CD and 32x RAM addresses.

Here's a link for Gens 9.5b

http://www.homeactionreplay.org/info/

I didn't get my copy from that site, so let me know if you have problems with the link/DL and I'll get another address.

=================================

32x info...

Now that I can search for 32x RAM addresses (SH2 memory), I started playing around with some 32x games that I didn't have much luck with before. I found some interesting stuff...

As it is right now, once you find a 32x RAM address (SH2 memory), there's only one way that I could think of to find out where that RAM address is being controlled from in the ROM... use the unmodded version of Gens 2.11 that has the built in 68k/32x debugger. I used Chemist's method of using save states and tracing through the assembly using the O, I, U, Y, and T keys and watching the SH2 CPU memory addresses for changes. All the assembly language is completely different than 68000, but it still uses MOVE, RTS, SUB etc, so you can kinda figure out what's going on.

There is a big problem using that method though... it appears that Game Genie codes will not modify areas of the ROM that are specifically for the 32x. Usually you need to use Game Genie codes to get past code that just cycles over and over, but with 32x games you can't, so you have to "step" over those parts of code with the "N" key. Very time consuming but it usually
works.

Since Gens won't let you use Game Genie codes for areas of the ROM that are specifically for 32x, you have to hack the ROM instead. When you do this, you'll probably find that you get a blank screen when you try to run the ROM. Checksum problems.

As far as I can tell, the Genesis part of the ROM and the 32x part of the ROM don't use the same checksum routine. For example, Doom 32x doesn't need a master code when you use my "start on hidden level" Game Genie code, but if you hack an area of the ROM that's for the 32x, you need a 32x master code. The good news is that so far, it looks like several 32x games all use the exact same 32x master code. The 32x master code can be done by hacking the ROM or with a Game Genie code: $0007CC:6002 = AJDT-AA8N.

Here are some 32x RAM addresses (SH2 memory)...

Blackthorne 32x
Health = 0603AC40 (although it may be used for other things as well?)

Kolibri
Health = 06036D8C

Doom 32x
Health = 060012ED


When you use the 32x debugger in Gens, ignore the "06" in the SH2 memory addresses above (0603AC40 = 03AC40 etc). When you're looking at the "Master SH2 Debug" screen in Gens, you'll see ROM addresses like this: 0205CCD0. Remove the "02" to get the actual ROM address.


Anyways, if anyone has some 32x knowledge, please let me know, because I have a ton of questions.

[MIR]

Congrats on a great find! Thank you for sharing.

[Tony Hedstrom]

Some interesting things I've noticed about the 32x...

It appears that all 32x instructions are only 2 bytes (meaning there are no operands). A little hard to get use to after spending so much time with 6502, 65c816 and 68k.

While trying to figure out why Shadow Squadron wouldn't run, I made an assembly trace and found what appears to be how the 68k goes into "32x mode" (I have no idea what it's really called, but the 68k only does this with 32x games).

00:04BE 4E D0 JMP (A0) A0=00FF0000 A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc

FF:0000 1B 7C MOVE.b #$01,$5101(A5) A0=00FF0000 A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc

FF:0006 41 F9 LEA ($000006BC),A0 A0=00FF0000 A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc

FF:000C D1 FC ADDA.L #$88,A0 A0=000006BC A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc

FF:0012 4E D0 JMP (A0) A0=008806BC A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc

88:06BC 41 F9 LEA ($00FF0000),A0 A0=008806BC A1=00FF0020 A2=00C00011 A3=00000512 A4=FFFFFFC0 A5=00A10000 A6=00000000 A7=00FFEE00 D0=00000000 D1=00000000 D2=0000FFFF D3=00000000 D4=00000000 D5=00000000 D6=00000000 D7=00000100 xnzvc


Hopefully, someone will make a 32x assembly tracer someday.

================================

In case anyone wants to know how to make 32x ROM hacks (I'm sure there are thousands of people. lol), here's a quick guide...

Use Gens 9.5b to find the SH2 memory address (32x RAM).

Use regular (non modded) Gens 2.10 (or any version that has the 32x debugger) and open your 32x ROM.

We'll use Shadow Squadron as an example. The SH2 memory address for damage/shield is $061CE19. Remove the "06" from the address to get the actual RAM address used in the debugger: 1CE19.

Once the game is running, wait until your ship is just about to take some damage and press F5 to make a save state. The closer to the exact point when you'll actually take damage the better. Enter the 32x debugger. Look in the SH2 memory section of the debugger and use these keys to find the SH2 memory address that you found earlier:

Memory (RAM) Window Movement Keys:
R-Up 1 Line
F-Down 1 Line
E-Up 12 Lines
D-Down 12 Lines
W-Up 144 Lines
S-Down 144 Lines

Once you can see the value for your RAM address, all you have to do is start tracing through lines of code until your RAM address changes. Find the exact line of code that caused the RAM address to change, and you have your hack (almost).

Here's the keys to use to trace through the code...

Debugger Tracing Keys:
T - Trace 1 command
Y - Trace 10 commands
U - Trace 100 commands
I - Trace 1,000 commands
O - Trace 10,000 commands
P - Trace 100,000 commands

If you go past the line of code that caused the RAM address to change, press F8 to reload the save state.

There is one fairly big problem though... many games will go into an endless loop when you enter the debugger and try tracing. If you're familiar with 32x assembly, this should be no problem, but if you're like me and know very little 32x asm, here's how to get out of those endless loops...

Trace one line of code at a time (the "T" key) and look for something like this: "bf 02xxxxxx" or "bf/s 02xxxxxx". When you get to that line, press the "N" key to step over that instruction. You may have to do this more than once.

One last thing, the ROM/CPU address shown in the 32x debugger isn't the actual ROM address. If it begins with "02xxxxxx", then you can usually just ignore the "02" for the actual ROM address, but if it begins with "06xxxxxx", you'll need to write down a string of numbers (32x opcodes) and search for that string in the ROM.

Since there are no operands, NOP will work in many situations to kill additions, subtractions, etc (0009 = NOP).

Don't forget to hack the 32x master code into your ROM or else you'll get a blank screen.