How it works ?
1. Fills COP region 740-77f with $ffff data
2. Uploads two unique "macros" to COP:
- trigger 0105 - unk 0006,fffb - offset 0000
data 0180,02e0,00a0
- trigger 0b05 - unk 0006,ffdb - offset 0008
data 0180,02e0,00a0,0182,02e0,00c0
3. COP writes (dma/clear/videoram realted)
2000 -> 43e unknown (both accessed always before dma param change)
1e00 -> 474
(tilemap dma)
0014 -> 47e (type/slot = tilemaps)
02c0 -> 478 (2c0<<6 = $b000 = src)
027f -> 47a (len)
0000 -> 47c
(palette dma)
0015 -> 47e (type/slot = palette)
0380 -> 478 (380<<6 = $e000 = src)
00ff -> 47a (len)
0000 -> 47c
4. Tool code is creating data table at mem location $c000
- 6 pair of WORDS copied to $c008-$c01f
0000 BAE1
0000 7BBB
0000 75C9
0000 7B67
0000 26EA
0000 B7B9
- 4 pairs of WORDS copied to $c020-$c02f:
0000 0000
0000 A732
0000 B9B7
0000 6D9B
- loop that builds big data table. Every entry is 4 WORDS long:
COUNTER 0000 DATA1 DATA2
There are 256 entries (counter starts from 0, ends at $ff)
Data are copied word by word from ROM :
So at the end, data table in RAM looks like:
- two WORDS = 0 stored at the end of table (at $c830 and $c832)
- another data table at $c840, same structure as the previous one, but shorter (only $40 pairs of data, mostly $ffff):
Does these tables looks familair ? $100 and $40 ?
Maybe sprite encryption data tables ?
5. A bunch of COP writes.
Code executes previously uploaded macros with pointers to the data tables
as inputs. Why? No idea. Upload to battery backed ram ? Could be...
6. At the end we can see a msg :
No comments:
Post a Comment