{"id":811,"date":"2013-03-24T17:17:37","date_gmt":"2013-03-24T16:17:37","guid":{"rendered":"http:\/\/blog.blockos.org\/?p=811"},"modified":"2014-09-21T17:07:11","modified_gmt":"2014-09-21T16:07:11","slug":"roger-quartermain-and-the-lost-script-of-the-heisei-era","status":"publish","type":"post","link":"https:\/\/blog.blockos.org\/?p=811","title":{"rendered":"Roger Quartermain and the lost script of the Heisei era."},"content":{"rendered":"

Roger is happy. He bought a cheap PC-Engine CDRom game called “Nishimura Kyotaro Mystery.: Hokutosei No Onna”. It seems to be a detective game like J.B. Harold Murder Club<\/a>, Jake Hunter<\/a>, Ace Attorney<\/a>, Le Manoir de Mortevielle<\/a> or Maupiti Island<\/a>. It was published by Naxat (now Kaga Create<\/a>) in 1990.
\nHe remembers that some games have a language option. For example, the japanese version of J.B Harold Murder Club can be played in english<\/a>. Unfortunately such option was nowhere to be found in Hokutosei No Onna… Nevermind! Roger Quartermain grabs his boots, his hat and jumps into the game dark bowels!
\nThe introduction seems to be about some dude stabbed in his room, 2 girls going to a train station and another guy who is apparently stalking them.<\/p>\n

\n\"Nishimura-0000\"\"Nishimura-0013\"
\n\"Nishimura-0004\"\"Nishimura-0005\"
\n\"Nishimura-0006\"\"Nishimura-0007\"\n<\/div>\n

As it’s a CDRom game, it must use the BIOS function for displaying text. Roger took his old notes<\/a> and search for any text related routine. Here it is! ex_fnt<\/strong> located at $e060<\/strong>. He draw his favorite emulator<\/a> and set a breakpoint to it.
\n\"debugger00\"<\/a>It fires just after the introduction when what seems to be the savegame selection screen appears.<\/p>\n

\"Nishimura-0008\"\"debugger01\"<\/a><\/div>\n

Roger is not really interested in the ex_fnt<\/strong> routine but more in the calling environment. So he sent breakpoints to the potential rts<\/strong>. A gentle pression to the R<\/strong> key sends him to $f1e2<\/strong>. Another push to the S<\/strong> key brings him the the caller.<\/p>\n

\"debugger02\"<\/a><\/div>\n

Here it is at $566b<\/strong>.
\n\"debugger03\"<\/a>
\nAccording to the notes, the shift-jis is loaded from $41<\/strong>, $42<\/strong> to $f8<\/strong> and $f9<\/strong>. The logical next step is to put a write breakpoint to $41<\/strong> and $42<\/strong>.
\n\"debugger04\"<\/a>
\nThe write breakpoint is triggered at $5b20<\/strong>. The code is pretty simple.<\/p>\n

5b1c: ldy #$00\r\n      lda ($3c), Y\r\n5b20: sta $41\r\n      iny\r\n      lda ($3c), Y\r\n      iny\r\n      sta $42<\/pre>\n
The next step is to search where the $3c<\/strong> pointer. Once again Roger has to set a new write breakpoint at $3c<\/strong> and $3d<\/strong>.<\/p>\n
5a18: lda #$90\r\n      bra $5a22\r\n      lda #$40\r\n      bra $5a22\r\n      lda #$80\r\n5a22: sta $c0\r\n5a24: sty $3d\r\n      cpy #$00\r\n      beq $5a2f\r\n      stx $3c\r\n      smb5 $c0\r\n      rts<\/pre>\n
Unfortunately the caller is not that obvious to discover. But the good news is that the text is not compressed. By keeping track of the values stored at $41<\/strong> and $42<\/strong>, Roger manages to extract the string <\/p>\n
40 81 40 81 40 81 C7 82 CC 82 54 8B E4 88 59 8C 96 8E C5 82 6E 8E DF 82 DC 82 B7 82 A9 82 48 81 0D 00 FF 00<\/pre>\n
 The endiannes must be swapped. He hopefully has some handsome perl script at hand swap_endian.pl<\/a>. The last 4 characters looks like some control code. His long time experience enables him to deduce that 00 0D<\/strong> is some kind of newline<\/strong> code and 00 FF<\/strong> may be for end of text<\/strong>. Here’s the string.
\n
\u3000\u3000\u3000\u3069\u306e\u4e80\u4e95\u5211\u4e8b\u3067\u59cb\u3081\u307e\u3059\u304b\uff1f<\/code><\/center>
\nBut this doesn’t tell Roger where the $3c<\/strong> pointer is set. Roger knows that on CDRom systems, the data is first transfered to RAM before being executed. This means that the code can be self-modifiable. Unluckily this is the case here. Roger has to set a breakpoint where the jump is done and run it until he finally reaches the pointer initialization code. Time passes and he ends up at $724d<\/strong> <\/p>\n
724d: ldx #$fc\r\n      ldy #$74\r\n      jmp $5a18<\/pre>\n
He restarts the game with only the write breakpoint at $41<\/strong> and $42<\/strong>. As expected he ends up at the same code as before for the first sentence. The next run lands at a different location acb4<\/strong>.<\/p>\n
acae: lda $4f\r\n      asl A\r\n      tay\r\n      lda ($50), Y\r\nacb4: sta $41\r\n      iny\r\n      lda ($50), Y\r\n      beq $acd8\r\n      sta $42\r\n      lda $2922\r\n      sta $3f\r\n      lda $2923\r\n      sta $40\r\n      lda #$01\r\n      jsr $5655<\/pre>\n
 The pointer $50<\/strong> is initialized at ac92<\/strong>.<\/p>\n
ac8a: tay\r\n      lda $312a, Y\r\n      asl\r\nac8e: tay\r\nac90: lda ($9f), Y\r\n      sta $50\r\n      iny\r\n      lda ($9f), Y\r\n      sta $51<\/pre>\n
 So the pointer is set up from a table. He gets the values\t<\/p>\n