ROM to RAM Question

[BioMechanical Dude]

So, I've been trying to hack NES games and hard code values like the number of lives you start with, weapons, etc. FCEUX's Game Genie Decoder/Encoder works great for finding the right ROM address in early titles like "Super Mario Bros.", but when it comes to games that use mappers, things got complicated.

Let's say we've got "Castlevania" and we want to change the number of lives you start with. I know, that the RAM address for them is $002A and the original value is 04. No matter how much I searched, none of the "Possible Affected ROM File Addresses" contained the value of 04!

After that, I decided to find out which addresses in the MMC1 Mapper are used for PRG code banks. I searched for addresses in NES Memory, then tried to change their values in the ROM file, but there was no effect. The game hadn't changed at all!

In the end, I said "screw it!" and made a dump of the Assembly Code in the game. So, naturally, somewhere in the code, there should be lines like:
LDA #$04
STA $002A
But no! There wasn't anything like that. In fact, there was no line of code, writing anything from the Accumulator, X or Y into that address!

So, what's wrong? Why is that address never used, when it clearly contains important information? Is it possible, that the game writes to a different address and, somehow, it gets changed in the emulator? I don't think the header has anything to do with that, but who knows? Somebody, please, help!

[thefox]

Set a "write" breakpoint on $2A in an emulator like FCEUX or Nintendulator(DX). It should take you right to the place where the number of lives is written. Note that if the game clears RAM on init, you may get an extra break because of that.

[Quietust]

Set a "write" breakpoint on $2A in an emulator like FCEUX or Nintendulator(DX). It should take you right to the place where the number of lives is written. Note that if the game clears RAM on init, you may get an extra break because of that.

I was doing this while you made that post, and this is what it turned up:

Code: Select all

C92A: LDA #$04
C92C: STA $2A

"STA $002A" and "STA $2A" are not the same thing - the former is absolute, and the latter is zero-page.

[rainwarrior]

Did you try looking for 5 or 3? Often the remaining lives indicator is different by one from the internally stored value.

If you still can't find it, setup a trace log and put a breakpoint on the byte of the screen's PPU memory where the indicator is shown. Once the breakpoint is hit, save the trace then follow the data trail backwards until you learn where it came from.

[mikaelmoizt]

Like people already have suggested.. add a write breakpoint on $002a, reset the game.
The first write made is most likely for clearing RAM.

(found it..)

[BioMechanical Dude]

Thanks, guys. This works pretty well.