DirMaster - C64 BTII

[Darendor]

It is my intention to attempt to examine and disassemble Bard's Tale II for the Commodore 64.

I will be using this program: http://style64.org/dirmaster

There will be undoubtedly headaches, confusion, long drives into empty fields in the middle of the night, and possibly a few posts from me along the lines of "Why God Why?"...

"But Darendor the Mad, you barely understand 6510 ML code! How could you expect to know what you're doing?"

Easy. I shall pretend it is BASIC.


No but seriously, wish me luck. And Tylenol.

[Darendor]

Alright. So.

I've done an ML dump of the 2 visible files on the BOOT disk.

I've started going through the first of those 2 files, named BARDS TALE II.PRG ...

So far this is what I've interpreted:

Code: Select all

0801 0b       ???		0801 nonsense?
0802 08       php 		0802 "Push Processor Status on Stack"
0803 cc 0d 9e cpy $9e0d		0803 "Compare Memory and Index Y"
0806 32       ???		0806 nonsense?
0807 30 36    bmi $083f		0807 Branch on Result Minus to $083f [N.B. there is no valid command at $083f??]
0809 34       ???		0809 nonsense?
080a 00       brk 		080a nonsense?
080b 00       brk 		080b nonsense?
080c 00       brk 		080c nonsense?
080d 78       sei 		080d "Set Interrupt Disable Status"
080e a2 00    ldx #$00		080e "Load Index X with Memory" value of 0
0810 78       sei 		0810 "Set Interrupt Disable Status"
0811 a2 00    ldx #$00		0811 "Load Index X with Memory" value of 0
0813 bd 30 08 lda $0830,x	0813 Get byte at ($0830 + X)
0816 9d 00 01 sta $0100,x	0816 Store that byte at ($0100 + X)
0819 e8       inx 		0819 Increment Index X by 1
081a d0 f7    bne $0813		081a Branch on Result not Zero to address $0813
081c ca       dex 		081c Decrement Index X by 1
081d 9a       txs 		081d Transfer Stack Pointer to Index X
081e a9 e9    lda #$e9		081e "Load Accumulator with Memory" value of e9 [aka 233]
0820 85 2d    sta $2d		0820 Store e9 [233] at memory location $002d
0822 a9 0c    lda #$0c		0822 "Load Accumulator with Memory" value of 0c [aka 12]
0824 85 2e    sta $2e		0824 Store oc [12] at memory location $002e
0826 4c 00 01 jmp $0100		0826 Jump to memory location $0100
0829 ea       nop 		0829 No Operation
082a ea       nop 		082a No Operation
082b ea       nop 		082b No Operation
082c ea       nop 		082c No Operation
082d ea       nop 		082d No Operation
082e ea       nop 		082e No Operation
082f ea       nop 		082f No Operation
0830 a9 0a    lda #$0a		"Load Accumulator with Memory" value of 0a [aka 10]
0832 85 02    sta $02		Store 0a [10] at memory location $0002
0834 a9 30    lda #$30		"Load Accumulator with Memory" value of 30 [aka 48]
0836 85 01    sta $01		Store 30 [48] at memory location $0001
0838 a9 00    lda #$00		"Load Accumulator with Memory" value of 0 [aka 0]
083a 85 ae    sta $ae		Store 0 [0] at memory location $00ae
083c a9 ff    lda #$ff		"Load Accumulator with Memory" value of ff [aka 255]
083e 85 af    sta $af		Store ff [255] at memory location $00af
0840 38       sec 		Set Carry Flag
0841 a5 2d    lda $2d		"Load Accumulator with Memory" value of whatever is at memory location $002d
0843 e9 ff    sbc #$ff		Subtract Memory from Accumulator with Borrow value of ff [255]
0845 85 c1    sta $c1		Store result at memory location $00c1
0847 a5 2e    lda $2e		"Load Accumulator with Memory" value of whatever is at memory location $002e
0849 e9 00    sbc #$00		Subtract Memory from Accumulator with Borrow value of 0 [0]
084b 85 c2    sta $c2		Store result at memory location $00c2
084d a0 00    ldy #$00		"Load Index Y with Memory" value of 0 [0]
084f b1 c1    lda ($c1),y	"Load Accumulator with Memory" [vector of $00c1] plus offset Y [0]
0851 91 ae    sta ($ae),y	Store Accumulator value at $00ae plus offset of Y [0]
0853 88       dey 		Decrement Index Y by 1
0854 d0 f9    bne $084f		Branch on Result not Zero to memory address $084f
0856 c6 c2    dec $c2		Decrement value of memory address $00c2 by 1
0858 c6 af    dec $af		Decrement value of memory address $00af by 1
085a a5 c2    lda $c2		"Load Accumulator with Memory" value of memory location $00c2	
085c c9 07    cmp #$07		"Compare Memory and Accumulator" to value 07 [7]
085e d0 ef    bne $084f		Branch on Result not Zero to memory address $084f

The native ML code is to the left, of course, and my attempts to annotate/decipher to the right.

It seems that nothing happens until $080d, with the SEI instruction. The bytes preceeding this address are gibberish, or perhaps they are part of the "autorun" code from using LOAD"*",8,1 to start the game...

I believe that this part of the file prepares the screen and fonts for the loading intro, but I could be way off there.

[Twoflower]

You are way off.

The initial routine transfers the routine at $0830 to the area commonly known as the stack at $0100. Now, why would anyone want to transfer code to an area that get messed up by resets, writes to the accumulators, jumps to subroutines, etc?

That's the first question to answer, Darendor.

[Darendor]

You are way off.

I kinda thought as much after I posted it. Like I said, expect me to not get it right the first couple [dozen] times.


Bear with me, I'm trying to get it sorted out.

So what is actually happening with that code I posted, if you don't mind handholding me for moment?

[Darendor]

The initial routine transfers the routine at $0830 to the area commonly known as the stack at $0100. Now, why would anyone want to transfer code to an area that get messed up by resets, writes to the accumulators, jumps to subroutines, etc?

Having thought about it, I can only surmise that this is done as part of the auto-loading sequence.

Am I any closer?

[drifting]

Looking at the C64 documentation, it looks like the initial program loaded is "EA". From the C64 docs:

Code: Select all

If you have a C64, insert the
boot disk and type Load "EA",8,1.

That would be the place to start.

[Darendor]

Looking at the C64 documentation, it looks like the initial program loaded is "EA". From the C64 docs:

Code: Select all

If you have a C64, insert the
boot disk and type Load "EA",8,1.

That would be the place to start.

Hmm.

My copy of the boot disk has this:




Looks like someone from Triangle hacked it back in 1988 to make a "trainer".

[Darendor]

Thinking further, I guess I could extrapolate the following based on that unlimited hitpoints trainer note:

- it claims that the game "loads new code all the time"; hardly surprising given that it loads graphics, characters, dungeon levels, and so on...
- the disclaimer about it only working in combat mode means there's different subroutines for handling damage against characters; obviously combat mode, but also things like getting hit by traps, walking on HP leech zones, and so on... so the 'trainer' only knows how to set one kind of flag; the combat damage flag or whatever (i.e. it bypasses the damage calculator in combat)


More to come.

[drifting]

Thinking further, I guess I could extrapolate the following based on that unlimited hitpoints trainer note:

- it claims that the game "loads new code all the time"; hardly surprising given that it loads graphics, characters, dungeon levels, and so on...
- the disclaimer about it only working in combat mode means there's different subroutines for handling damage against characters; obviously combat mode, but also things like getting hit by traps, walking on HP leech zones, and so on... so the 'trainer' only knows how to set one kind of flag; the combat damage flag or whatever (i.e. it bypasses the damage calculator in combat)

More to come.

In the DOS version, there is only one damage routine that handles damage for characters and monsters. I would expect the C64 version to be similar but who knows. There might be copies of the damage routine on the different disks. Dunno.

What is the effect of the "unlimited hitpoints" flag? Does it just not subtract from the characters HP? All monsters miss? All damage is zero?

[drifting]

Which program does LOAD "*" run in that case?

[Darendor]

Which program does LOAD "*" run in that case?

It loads BARDS TALE II.PRG...

[Darendor]

I was messing around with the BOOT disk and I decided to take a peek at LOADER.PRG...


I found this when I asked it to display the contents:




I also think that there's a program called UILOADER.PRG hiding there.

[Darendor]

So courtesy of Twoflower I have copies of the BT2 C64 disk images that are decloaked or whatnot.

My task at hand is to figure out how to de-bitshift the bytes of the files. My understanding is that they're all bitshifted by #$EA.

As soon as I figure out how to do this I will post more.


I am in way, wayyyy over my head here. But that's okay.

[Darendor]

Alright.

I randomly selected a file on the first DUNGEON disk.

Here is the first few bytes of the file that I believe I have de-shiftbitted or whatever.

Does anyone here follow the code? I see a few JSRs in there but other than that it seems to be gibberish-y.

Code: Select all

48ea 20  JSR   
48eb e1  SBC   
48ec 08  PHP   
48ed e6  INC   
48ee c1  CMP   
48ef a2  LDX   
48f0 49  EOR
48f1 20  JSR
48f2 1b  SLO
48f3 08  PHP
48f4 a0  LDY   
48f5 a2  LDX   
48f6 a2  LDX   
48f7 60  RTS   
48f8 20  JSR
48f9 06  ASL
48fa 08  PHP
48fb 20  JSR
48fc 78  SEI
48fd 08  PHP
48fe 20  JSR
48ff 87  SAX
4900 08  PHP
4901 c9  CMP  
4902 c2  NOP  
4903 f0  BEQ  
4904 20  JSR  
4905 c9  CMP  
4906 c6  DEC  
4907 d0  BNE  
4908 f2  ???  
4909 20  JSR  
490a e1  SBC  
490b 08  PHP
490c a0  LDY
490d a2  LDX
490e a2  LDX

[Twoflower]

Darendor, you need to get a better machinecode debugger.

There is a monitor in f.ex Vice that you can use. You have decloaked the file correctly, and from what I can see, it is code. Probably one of the small function-routines that fills a special purpose when wandering around. The code should look something like this:

Code: Select all

48EA JSR $08E1 - Call subroutine at $08E1
48ED INC $C1 - Increase zeropagevalue at $C1
48EF LDX #$49 - Load X with #$49
48F1 JSR $081B - Call subroutine at $081B
48F4 LDY #$A2 - Load Y with #$A2
48F6 LDX #$60 - Load X with #$60
48F8 JSR $0806 - Call subroutine at $0806
48FB JSR $0878 - Call subroutine at $0878
48FE JSR $0887 - Call subroutine at $0887
4901 JSR $F0C2 - Call subroutine at $F0C2
4904 JSR $C6C9 - Call subroutine at $C6C9
4907 BNE $48FB - If branch not equal, jump back to $48FB
4909 JSR $08E1 - Call subroutine at $08E1
490C LDY #$A0 - Rinse and...
490E LDX #$00 - ...reload. See above at $48F2. Same here.

The subroutines at $0800 are the same kind of stuff as in BT1 - look in the BT1-documentation we made some years ago in this forum to get some insight in what kind of routines we are talking about. BT2 isn't a copy, but basically similar.