hi,

to get better at programming the 6502 i have disassembled super mario brothers 1(because it will always be a classic! and because its mapper 0) and am currently reading the code and commenting everything!

i have gotten through the about 400 bytes (thats a decimal 400) of code and i thought i should ask if anyone else has already done something like this before i continue translating the remaining 30 odd throusand bytes(hopefully big chunks will be data!).

and if anyone has done this for a different game i would also be interested in seeing that.

and if anyone is interested in disassembling stuff, i got the best results using the disassembler called md6502 (it comes with source and i recompiled the tool so that its output came in english). but before i dissassembled i used a hex editor to remove the 16 byte iNES header from the begining.

and if anyone wants to see what i am working on ill post it.


Andrew Chanler

This seems like a nice project, although I had heard rumors that there is some partially complete source that someone had disassembled and commented some time ago.

I would be interested in seing your results.

I made an attempt at this a while back, first disassembling by hand, then with the aid of a homegrown disassembler.

Unless your disassembler is extremely intelligent, it's most likely screwed up the jumptables. SMB (and a number of other nintendo titles) do something like this for jumptables:

LDA #$03
JSR do_jumptable
DW $A020, $8002, etc

do_jumptable:
ASL A ; adjust index into table
TAY
PLA ; grab high byte
STA $01
PLA ; grab low byte
STA $00
INY ; point at the low byte of the entry
LDA ($00), Y
STA $03
INY
LDA ($00), Y
STA $02
JMP ($0002)

Their version is probably a little bit shorter, as that was from memory. That pops the return address off the stack, and uses it as the base address for a jumptable indexed by A. The RTS at the end of whatever bit of code that entry points at will return to the first function's caller.

Nintendo likes to nest these, I think I remember seeing a set that was 4 tables deep in SMB1 somewhere.

hey,

i already came across one of the jump tables you mentioned and what you typed is exactly how they coded it! this is what it looks like:

this code segment starts at $8E04 in memory
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
asl a
tay
pla
sta $04
pla
sta $05
iny
lda ($04),y
sta $06
iny
lda ($04),y
sta $07
jmp ($0006)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

i found about 14 or 15 places in the source that do a jsr to the begining of that code segment...


something else interesting i have come across was right near the begining of the code...maybe before i just didnt understand NMI interupts but i thought it was cool to see that the program basically setups memory, the PPU, DMA sprite memory, etc... and then turns on the NMI interrupt flag and just continuously loops at one lable that jumps to itself while waiting for an NMI interupt to call the NMI interupt subroutine.

Andrew

I highly recommend IDA for all your disassembling needs. Learn all of its features and you'll wonder why you ever used anything else.

FYI, Super Mario Bros. was disassembled a few years ago by a gentleman by the name of Barubary. He made a SMB hack from it, you might want to look him up.

Yeah, IDA is pretty good. I never did figure out how to make it reassemble a program, though.

SnowBro made a really interesting dissassembler, it seperates the code and data (like IDA) and you can reassemble it with x816. I still need to put it here on the site.. I think it only works with 16KB PRG games, so I guess it probably wouldn't help with SMB, though.
http://www.stud.ntnu.no/~kenth/nesrev

I haven't gotten IDA to reassemble for me, but it has a fairly standard assembly output. With a few small changes, you can send it through your assembler of choice.

What makes IDA stand out from the rest is that its disassembly process is interactive. The whole idea behind IDA is that it lets you massage the disassembly to make it look like you want. It's initial disassembly (which is pretty decent in its own right.. tries to separate code/data and all that) is just the first step. You can then trace through the flow of execution, mark or redefine any code/data segments it missed, define subroutines, change data types, add comments, etc, etc. Everything is done on the fly, you rename a label and all references to it will change. When you're all done, output to asm and you will have something that very closely resembles original source code. If you've seen my FDS BIOS disassembly, that came straight out of IDA. Can't say enough good things about it (as you can tell ;)

since i posted my first post, i have found another tool worth mentioning. its called "6502 Auto-disassembler". here a link to the website: http://home.hccnet.nl/g.baltissen/auto_dis.htm

the download is a compiled executable that did not seem to run in windows... it said i wasnt running a new enough verion of DOS... so i disassemblied the utility with a 8086 disassemblier, found where it did the dos version check and patched it so it would ignore what ever version of DOS it throught i was running... and now the tool runs fine! i would have just recompiled the source code that comes with it but its all from turbo pascal which is of little use to me...

anyways, this tool is for the 6502 processor. the guy who wrote it wrote it for disassembling stuff for the Commodore. and the tool has an awesome feature where you define a type of config file and it uses that to help disassemble the source... for example, i was able to define different memory ranges where i knew vector tables existed in the binary file and this tool was able to figure out parts that i had trouble with using different tools...

if anyone wants the modified version of this tool let me know.... or maybe i can find where i wrote down the address of the byte i modified so you could change it with a hex editor...


also IDA looks like an awesome tool and i found a free version of it but it only supported 8086 processors... no 6502...

Andrew

Hi,


i have disassembled mario and it compiles with the assembler ca65 and then i can use the ld65 linker to get it back to a binary image... tack on the iNES header to the front and the original chr-rom data to the back and it plays in an emulator.

although i dont have any comments in this disassembly and i am sure the code is not moveable at the moment... aka its in the same order it was disassembled in....

if i get a chance ill try and make it "pretty" and find out how relocatable the subroutines are... aka will it run if i move data and subroutines around...


Andrew

Interesting. I noticed that on the INT/BRK routine the first instruction (which appears at FFF0) is 0x07, which is bad. I also noticed that SMB uses mapper #1 for whose reason I don't know. Anyway, those are my observations of this topic.

yeah the IRQ vector at $FFFE does point to $FFF0 which does not contain a valid opcode.. so it would make sense to say that super mario brothers does not use the IRQ vector.

and about the mapper... when i started this project of disassembling SMB1 i thought i read somewhere that it was mapper zero... but i was wrong. you are right. it is mapper 1! i loaded up the rom in my handy dandy hex editor to check out what the iNES header said it was.


but the thing thats getting to me now is, why did they use mapper one if SMB only has 32k of PRG ROM and 8k of CHR ROM?
With only that amout of data, all the data is addressable by the CPU's avalible address space with i thought elimated the need for a mapper....

other then memory mapping, i know that mapper 1 gives support for setting Vertical or Horizontal Mirroring... or insted 1 page mirroring.

but when in SMB does 1 page mirroring occur? and they can set vertical/horizontal mirroring with the PPU registers....



Andrew

SMB is definitely mapper #0 (NROM), I've seen the board. The mirroring is semi-permanently selected on these kind of boards with a little drop of solder. Maybe an emu could load it as mapper #1, but it really should be zero.

And one screen mirroring can only be done by a mapper. The PPU register only lets you select the base nametable to scroll from.

BTW, if you can't afford the $399 USD (!) for IDA Pro, it should be find-able on jigle.com. I can see why they charge that much for it, but I can't really imagine anyone paying that much only for hacking an NES rom..

thanks for the info!


ill check out IDA but i really like this commadore 64 tool called auto-disassembler that i am fine tuning some of the source code because it is very slopy programming... and already with a few quick mods to the output formating this tool successfully disassembles and its output can be assembled with ca65.

Andrew