+  RHDN Forum Archive
|-+  Romhacking
| |-+  General Romhacking
| | |-+  Odd debuging issue - Geiger's Snes9X Debugger.
Pages: [1] 2
Author Topic: Odd debuging issue - Geiger's Snes9X Debugger.  (Read 1 times)
Mauron
Guest
« on: March 15, 2009, 04:30:37 pm »

I've been working on a Chrono Trigger hack, and the latest part has me stumped thanks to an unusual problem.

I'm trying to find where a value is being stored to 7E0061 during menu load, so I set that as a write breakpoint. The first thing that comes up is this:
Code:
$C2/953C 8D 0B 42 STA $420B
Not the right line, so I press run, and that's where the oddity takes place. It just comes up with a blank screen. Stepping through the code, I found it reaching this:
Code:
$C2/5841 6B RTL
$00/0001 00 00 BRK #$00
$00/FF18 AF EF CD AB LDA $ABCDEF[$AB:CDEF]
$00/FF1C 80 FA BRA $FA    [$FF18]
Restoring from the statesave I had used earlier, I load the menu without the breakpoint I had set earlier, and the menu loads fine.

My questions are why is it doing this, and more importantly, how do I avoid it?
DaMarsMan
Guest
« Reply #1 on: March 15, 2009, 05:28:48 pm »

$420B is a the register that starts DMA transfer. So it's likely that it is the right line.
Mauron
Guest
« Reply #2 on: March 15, 2009, 05:53:18 pm »

No, it's definitely not the one. Since I couldn't find it this way thanks to it hitting that BRK #$00, I went through recorded data and found one where it was storing the correct value to that memory address.
Parasyte
Guest
« Reply #3 on: March 16, 2009, 03:44:33 am »

I hate to say it, but the debugger is horribly buggy. You're lucky it didn't crash on you. :x It really needs to be replaced with a more reasonable debugger solution. (Oh, it feels like 2002 all over again, *sigh*)
Nightcrawler
Guest
« Reply #4 on: March 16, 2009, 07:53:50 am »

Quote from: Mauron on March 15, 2009, 05:53:18 pm
No, it's definitely not the one. Since I couldn't find it this way thanks to it hitting that BRK #$00, I went through recorded data and found one where it was storing the correct value to that memory address.

The debugger is telling you an instance data was written to 7E0061 during a DMA transfer. The debugger is not telling you it's THE INSTANCE YOU WERE LOOKING FOR. I'd be my lunch the DMA transfer the debugger snaps on does in fact transfer something to 7E0061. Just turn on DMA debugging and you can see the source, destination, and number of bytes. I'm sure you'll find it covers 7E0061. Wink

It also sounds like you have something messed up. I wouldn't expect production game code to use the BRK #$00 instruction during normal execution.
RedComet
Guest
« Reply #5 on: March 16, 2009, 08:30:00 am »

Quote from: Nightcrawler on March 16, 2009, 07:53:50 am
It also sounds like you have something messed up. I wouldn't expect production game code to use the BRK #$00 instruction during normal execution.

Building on what NC said, have you hacked the game any yet or are you still dismantling the original code? It sounds like you've corrupted the stack with your RTL.
Mauron
Guest
« Reply #6 on: March 16, 2009, 02:38:48 pm »

Quote from: RedComet on March 16, 2009, 08:30:00 am
Building on what NC said, have you hacked the game any yet or are you still dismantling the original code? It sounds like you've corrupted the stack with your RTL.

The ROM that I was doing this with when I first posted has been hacked in a variety of ways, but I just tested it on a fresh ROM and it produced the same issue.

Could you elaborate on "corrupting the stack with a RTL"? I've done it before (and sometimes fixed it, thanks to trial and error) without really understanding what I've done.

Quote from: Nightcrawler on March 16, 2009, 07:53:50 am
The debugger is telling you an instance data was written to 7E0061 during a DMA transfer. The debugger is not telling you it's THE INSTANCE YOU WERE LOOKING FOR.

Sorry, I misinterpreted DaMarsMan's post as meaning it was the instance I was looking for.
MathOnNapkins
Guest
« Reply #7 on: March 16, 2009, 03:54:15 pm »

Corrupting the stack would involve pushing and pulling the wrong number of bytes within a subroutine. For example:

Code:
; code at $8000

    JSR $8080

; code for $8080 in the same bank would be here

    REP #$30
   
    LDA $0000
    STA $0002

    ; other code, etc, etc

    RTL


That would corrupt the stack because you used a JSR instruction to get to $8080 but used an RTL instruction to return.

The JSR pushes two bytes (the return address) onto the stack and RTL pulls three bytes off of the stack (a 3 byte return address that also sets the program bank)

Thus, you would likely end up in completely different bank after the RTL executes and for all you know you could be executing data rather than code, which is very bad, mmkay. For all intents and purposes that's losing control of your code and the code will likely not recover and will probably end up in an infinite loop, wreaking havoc with the rest of the game, and eventually crashing. Since CPUs execute things so quickly it appears to us in real time to crash extremely quickly, usually.

Other ways to corrupt the stack are to push bytes to the stack like with PHA, and not pull them off the stack at the end of the routine. Sometimes there's a clever reason to not pull bytes off the stack but usually it will cause you problems.

Parasyte
Guest
« Reply #8 on: March 16, 2009, 06:33:53 pm »

I just tried to reproduce what you described (since it seems no one is paying proper attention) and I see the same results. The breakpoint that hits just after the title screen will end up in no-man's land at $00/0001 when you step out twice.

In fact, stepping out once after this breakpoint takes you to the wrong address: $C2/0001. The proper return address $C2/94FA, which you can verify by placing an execute breakpoint on $C2/953F (the instruction directly following the DMA-of-death) and stepping just a few instructions to the RTS.

Geiger's SNES9x *really* has to go away. I think it's served its purpose and outlived its welcome, unfortunately.
CaseCrash
Guest
« Reply #9 on: March 16, 2009, 10:48:10 pm »

Is there anything else to use really? Everything I've seen when trying to find out about SNES hacking has mentioned Geiger's SNES9x Debugger as what to use. Any up-and-comers that are any good?
Nightcrawler
Guest
« Reply #10 on: March 17, 2009, 08:23:23 am »

No. Geiger's is still pretty much it. SNES debugging tools are still stuck in a time warp.

I've tried to get the source from Geiger to fix it up and update it myself, but he never responded to any attempts to contact.


I'd advise grabbing BSNES v013 with the debugger from our site here and use that as a workaround for this issue. I will occasionally use it to confirm something that doesn't seem right in Geiger's.
BRPXQZME
Guest
« Reply #11 on: March 17, 2009, 08:49:59 am »

Quote from: CaseCrash on March 16, 2009, 10:48:10 pm
Is there anything else to use really? Everything I've seen when trying to find out about SNES hacking has mentioned Geiger's SNES9x Debugger as what to use. Any up-and-comers that are any good?
I know what byuu would recommend... @#$% with the bsnes source for great searching! D:
Gemini
Guest
« Reply #12 on: March 17, 2009, 09:04:46 am »

I agree on scanning the bsnes sources, entirely. Cheesy It was so useful when I was writing my Snes rendering shell for Star Ocean Psx, especially for the DMA/HDMA part.
Nightcrawler
Guest
« Reply #13 on: March 17, 2009, 09:17:13 am »

Right... Someone who doesn't know what stack corruption is for an RTL instruction is going to get so much out of looking at heaps of C++ code....

I disagree with trying to pass off the idea of modifying source code for an emulator as an adequate debugging solution for all. I also disagree with source code as a replacement for documentation. Source code is a good supplement, but it's not documentation. One should not be required to know a specific programming language to read documentation.

Sorry, these things really bother me. People with this mentality assume everyone knows C++, there's no need for written explanation, everyone can code an emulator, and everyone is at an advanced level. That's just not reality.
BRPXQZME
Guest
« Reply #14 on: March 17, 2009, 09:30:37 am »

Quote from: Nightcrawler on March 17, 2009, 09:17:13 am
Sorry, these things really bother me. People with this mentality assume everyone knows C++, there's no need for written explanation, everyone can code an emulator, and everyone is at an advanced level. That's just not reality.
Of course, the “D:” would mean that at some level, I agree with you on this. Will modifying the emulator source (ignoring how clean the code may or may not be) give you the best search performance EVAR?! Yes, but uh... man, that’s hardcore.
Pages: [1] 2  


Powered by SMF 1.1.4 | SMF © 2006-2007, Simple Machines LLC