Some times ago, some fellas from the Necstasy forum discussed the fact that parts of Human Sports Festival can be extracted into standalone games. Human Sports Festival (or HSF for the connoisseurs) is a sports compilation made of a Fine Shot Golf, Formation Soccer Human Cup 92 and last but not least Final Match Tennis Ladies.
The first thing to do is to find the sectors where the game is stored and more importantly, is there any CD-ROM access during the game?
Instead of mindlessly put a breakpoint on the cd_read routine ($e009), a less painful and efficient alternative is to use the mednafen logger. Press alt+d then alt+4 to view it. Don’t forget to press T to enable logging. The next screenshot shows what you get when you launch Final Match Tennis Ladies
Hopefully nothing more shows up during the game. This means that the last read command loads the whole game. Let’s take a look at it.
Read: start=0x000011c8(track=2, offs=0x000003c2), cnt=0x00000080
Remember that the offset and count refers to sectors. A sector being 2048 bytes long, we will open the 2nd track with our favorite hexadecimal editor (here bless), jump to the offset 0x1e1000 (that is 0x3c2 * 2048) and dump the following 262144 bytes (0x80 * 2048).
But it’s not over yet! We must take a look at what is done after the game is loaded in HSF just in case we have to add the IRQ and other stuffs to make it work. Let’s check it!
First, we put a breakpoint on the cd_read ($e009) and painstakingly walk along it until we reach the rts instruction and jump back to the calling code.
We land back at $2309.
The whole routine in text form:
22ef: sta $fc 22f1: lda #$03 22f3: sta $fd 22f5: lda #$c2 22f7: sta $fe 22f9: lda #$06 22fb: sta $ff 22fd: lda $22d0 ; = 68 2300: sta $fa 2302: lda #$80 2304: sta $f8 2306: jsr $e009 2309: and #$ff 230b: bne $22ed 230d: sei 230e: lda #$ff 2310: sta $1402 2313: stz $0C01 2316: jsr $e081 2319: jsr $e087 231c: cli 231d: lda $22d0 2320: tam #$80 2322: jmp $e000
From $22ef to $2304 the parameters to cd_read is set. At $2306 cd_read is called. What follows is very interesting. If no error occurred during the cd read, first the interrupts are disabled by calling sei and setting all the bits of $1402 to 1. The timer is disabled by setting $0C01 to 0. Then $e081 (ex_rcroff) and $e087 (ex_irqoff) routines are called. Those 2 routines respectively disables system card hsync and IRQ handlers.
After that, the CD-ROM RAM bank where the game is stored is mapped to mpr #7. Then we dive into the unknown by jumping to $e000.
There’s something important to note here. As the whole game data is stored in RAM and mapped to the mpr #7, IRQ vectors will be the one stored in RAM and not the ones from the system card. That’s a pretty good news. We are not forced to butcher the ROM to force feed IRQ vectors into it.
As free cakes are always dubious, we will see what $e000 is made of.
A simple jump to $e072. Fantastic!
This routine looks like a standard RESET interrupt handler.
Let’s test the extracted ROM… Blimey! The screens is jogging. The controls are sloppy. And the game freezes after player selection.
Oh mighty quick-tempered bearded fanciful overlord, why have you forsaken me?
Let’s look back at the mednafen debugger.
We see that SPD (the CPU speed mode) is set to 0. The PC Engine CPU is in SLOW mode.
If we look at Final Match Tennis for cross-reference, we see that the CPU is in HI-SPEED mode.
We will have to find a place where we can safely put the necessary instruction to switch the CPU to the required mode. $e074 is a relatively promising spot.
e074: cla e075: sta $22d1
The cla/sta combo can be rewritten with a single stz, leaving us with an extra byte where to put the csh instruction that will set our CPU at the correct speed.
Another issue was reported by one of the good old chap from the necstasy forum. During a set, a soft reset (SEL+RUN) will crash the game. To keep things short and entertaining, instead of jumping to the RESET IRQ vector, it jumps to $22d6 in RAM. That bugger is at $e027.
And voilà, you should be able to enjoy Final Match Tennis Ladies on a HuCard.
The following IPS patch will fix the aforementioned issues on the extracted ROM.