Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
00286 Crash/Freeze Critical (emulation) Have not tried Jan 28, 2008, 03:34 Feb 13, 2010, 12:01
Tester ShimaPong View Status Public Platform
Assigned To couriersud Resolution Fixed OS
Status [?] Resolved Driver
Version 0.116 Fixed in Version 0.136u1 Build
Fixed in Git Commit Github Pull Request #
Summary 00286: czeroize: Broken the game after finished loading casette tape on 0.114u4 or later.
Description Broken the game after finished loading casette tape on 0.114u4 or later. This problem seems to happen due to M6502 update on 0.114u4.

Try to set "bp 3728" at first debugger appearance.

371B: 20 4F 57      jsr  2F
371E: 20 52 57      jsr  32
3721: 38            sec  
3722: E9 0D         sbc  #
371B: 20 4F 57      jsr  $372F
371E: 20 52 57 jsr $3732
3721: 38 sec
3722: E9 0D sbc #$0D
3724: 8D 4E 57 sta $372E
3727: E8 inx
3728: D0 04 bne $372E
372A: C0 01 cpy #$01
372C: D0 ED bne $371B
372E: F3 A2 isc ($C2),y
3730: 00 24 m6502_brk#$44
3732: E8 inx
3733: BD 00 E5 lda $E500,x
3736: 60 rts
D 3724: 8D 4E 57 sta 2E 3727: E8 inx 3728: D0 04 bne 2E 372A: C0 01 cpy # 372C: D0 ED bne 1B 372E: F3 A2 isc ($C2),y 3730: 00 24 m6502_brk# 3732: E8 inx 3733: BD 00 E5 lda $E500,x 3736: 60 rts

The game crashes on $3730. But on 0.114u3, No crash.

371B: 20 4F 57      jsr  2F
371E: 20 52 57      jsr  32
3721: 38            sec  
3722: E9 0D         sbc  #
371B: 20 4F 57      jsr  $372F
371E: 20 52 57 jsr $3732
3721: 38 sec
3722: E9 0D sbc #$0D
3724: 8D 4E 57 sta $372E
3727: E8 inx
3728: D0 04 bne $372E
372A: C0 01 cpy #$01
372C: D0 ED bne $371B
372E: F3 ill $F3
372F: A2 00 ldx #$00
3731: 24 E8 bit $E8
3733: BD 00 E5 lda $E500,x
3736: 60 rts
D 3724: 8D 4E 57 sta 2E 3727: E8 inx 3728: D0 04 bne 2E 372A: C0 01 cpy # 372C: D0 ED bne 1B 372E: F3 ill $F3 372F: A2 00 ldx #
371B: 20 4F 57      jsr  $372F
371E: 20 52 57 jsr $3732
3721: 38 sec
3722: E9 0D sbc #$0D
3724: 8D 4E 57 sta $372E
3727: E8 inx
3728: D0 04 bne $372E
372A: C0 01 cpy #$01
372C: D0 ED bne $371B
372E: F3 ill $F3
372F: A2 00 ldx #$00
3731: 24 E8 bit $E8
3733: BD 00 E5 lda $E500,x
3736: 60 rts
3731: 24 E8 bit $E8 3733: BD 00 E5 lda $E500,x 3736: 60 rts

BTW, I have made the cheat code to prevent from crashing.
:czeroize:00800000:3729:00000005:FFFFFFFF:Avoid Crash [TEST]
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version 0.114u4
Affected Sets / Systems czeroize
Attached Files
 
Relationships
There are no relationship linked to this issue.
Notes
5
User avatar
No.00264
couriersud
Developer
Mar 19, 2008, 21:55
edited on: Mar 19, 2008, 23:43
On 0123u6 load is finished. Aftwerwards, game keeps resetting.

Code at 3707 reads dongle. Following code around 3721 modifies 372e: It writes f3 there. Dongle read has to return e.g. 0x0d on read to E500 so that a 00 (NOP) is written to 372e so that the game can continue.
User avatar
No.01173
ShimaPong
Tester
Jun 1, 2008, 18:12
Question

> Dongle read has to return e.g. 0x0d on read to E500 so that a 00 (NOP) is written to 372e so that the game can continue.

czeroize is based on M6502 CPU so that I think NOP is 0xEA.
Is NOP = 0x00 correct in this case? Because of encrypted??
User avatar
No.01178
ShimaPong
Tester
Jun 2, 2008, 15:00
I understand. Sorry, my silly question.
User avatar
No.05382
M.A.S.H.
Senior Tester
Jan 4, 2010, 04:54
edited on: Jan 4, 2010, 04:55
I have compiled MAME 0.114u4 with the old M6502 files from 0.114u3 using the
mingw-mame-20070617.exe and Zeroize works again.
Then i used the M6502 files from 0.114u4 and edit the 6502 opcode file (cpu\m6502\t6502.c).
In MAME 0.114u4 many new illegal opcodes were be added to t6502.c.
I replaced and compared one by one with the t6502.c file from 0.114u3 and found out
that the illegal 6510 opcode ISB is the problem!

ISB is defined in src\emu\cpu\m6502\ill02.h:

/* 6510 ********************************************************
 * ISB increment and subtract with carry
 ***************************************************************/
#define ISB \
tmp = (UINT8)(tmp+1); \
SBC




If you changed in MAME 0.136 src\emu\cpu\m6502\t6502.c the line 106 from

OP(f3) { int tmp; RD_IDY_NP; WB_EA; ISB; WB_EA; } /* 7 ISB IDY */

to

OP(f3) { ILL; } /* 2 ILL */


=> then Zeroize works again :)
User avatar
No.05711
couriersud
Developer
Feb 13, 2010, 12:01
fix zeroize protection simulation in lieu of proper dongle dump. [Bryan McPhail]