Digital archaeology, game disassemblies and more

Pocket Gal Deluxe - Debug Menu and more

There's a request on mamecheat for Pocket Gal Deluxe, and I figured I'd give it a go. I played around for a bit, then discovered a nice, juicy string table with some intriguing bits of text. After a few hours of working backwards through the disassembly, I've discovered a number of interesting bits in the game!

THREE YEARS LATER UPDATE: My original work on this game was done with text disassemblies from MAME, a notebook and my copy of the M68k Reference Manual. How times have changed. I've revisited the game using my newer tools and have elaborated quite a bit on what I originally found, including the discovery of actual input codes to access the dev tools. Everything is much tidier and better explained now.

Version

Pocket Gal Deluxe version text

Like other Data East games, hold P1 Start + P2 Start on game bootup to display the version.

Old/Unused Debug Menu Strings

Pocket Gal Deluxe unused debug stringsPocket Gal Deluxe unused debug stringsPocket Gal Deluxe unused debug strings

Among the text in the string table were these lines of text, in successive order. They may be text from empty placeholder functions, perhaps from an SDK or 'example' program used as a base. (I see to recall seeing these lines in other DECo games' data...) These lines are never actually referenced anywhere else in the code, so we can't really say for sure.

I've only included three screenshots of the text, since it's pretty bland. The full list in order is: WARNING, DECO MARK, OPENING DEMO, TITLE, IDLE, BEST PLAYERS, START DEMO

Copy Protection

Pocket Gal Deluxe Winners Don't Copy string

There are a handful of security check routines in the game. First, there are two checks involves reads from the security device and comparing the value returned. If either are not as expected, it jumps to code that displays the snarky message above, obviously parodying the ugly FBI 'Winners Don't Do Drugs' screen of arcade games from the 90's.

After that, there is a secondary, more interesting check: it checks the actual byte values of the code from the first security check for expected values. So if the first security check against the protection device was removed or altered, it would still fail.

Here's the code, to illustrate. First, the initial check:

securityCheck1:
0006E4: 3039 0016 7D10      move.w  $167d10, D0 ; read from the security device
0006EA: 0C40 8080           cmpi.w  #-$7f80, D0 ; is the value what we expect?
0006EE: 6700 0008           beq     $6f8 ; yes, move on
0006F2: 4EB9 0000 A46E      jsr     dispWinnersDontMakeCopy[$a46e] ; nope! winners don't make copy!!

And then later, we have the secondary check:

subSecurityCheck1:
00A4CA: 2038 06E4           move.l  $6e4.w, D0 ; it's reading from the program code itself, notice the address compared to the code above
00A4CE: 0C80 3039 0016      cmpi.l  #$30390016, D0 ; check the data - again, compare this to the code above
00A4D4: 6600 002C           bne     $a502 ; no good
00A4D8: 2038 06EA           move.l  $6ea.w, D0 ; check the next chunk
00A4DC: 0C80 0C40 8080      cmpi.l  #$c408080, D0 ; etc...
00A4E2: 6600 001E           bne     $a502
00A4E6: 2038 06EE           move.l  $6ee.w, D0
00A4EA: 0C80 6700 0008      cmpi.l  #$67000008, D0
00A4F0: 6600 0010           bne     $a502
00A4F4: 2038 06F2           move.l  $6f2.w, D0
00A4F8: 0C80 4EB9 0000      cmpi.l  #$4eb90000, D0
00A4FE: 6700 0008           beq     $a508 ; everything checked out, exit the function
00A502: 4EB9 0000 A46E      jsr     dispWinnersDontMakeCopy[$a46e] ; we got a hacker over here!
00A508: 4E75                rts

Of course, a skilled code hacker could remove this secondary check too, but it certainly would have given them a headache.

'Data East' Input Codes

There are two input codes hidden on the Data East logo screen, both of which should be accessible by the production hardware without any hacking. As a prerequisite, switches 6 and 7 (marked as Free Play and Unused) need to be enabled on DIP switch 2. For the input code itself, it needs to be entered relatively quickly, before the Data East logo fades.

Note that the Data East logo is not present in the Japanese version of the game. As such, the codes are only available on the European version. However, all the code is still present in the Japanese version; more on that below.

Here are the codes:

Hidden Dev Credits

Player1 Up Down Right Right B1 B1 B2 B1

Just a simple dev credits screen. Nothing to write home about, though it's nice to have it dug out of the code after all these years. It will remain on the screen for a few seconds or until you hit a button, then move on to the title screen. The final line at the bottom translates to "Don't Copy [this game]!!" in a commanding tone.

Debug Tools

Pocket Gal Deluxe debug menuPocket Gal Deluxe debug menuPocket Gal Deluxe debug menuPocket Gal Deluxe debug menu
Player2 Down Up Left Left B2 B2 B1 Start

Here's the big find of the game: a fully functional dev tools menu. Game Mode brings you back to the game. Debug Mode is kind of a let down: it's simply a test of all the images in the game. There's a Sound Mode which is pretty self explanatory, and a Trick Mode, which lets you select the trick stages.

Now, if you don't want to bother with input codes and DIP switches, we can access both of these pieces of code with MAME cheats. This will also allow you to access the dev tools in the Japanese version, which cannot normally be done since the Data East logo is never referenced. You cannot, however, access the hidden dev credits in the Japanese version with this code since it is unreferenced in that version as well. (We could write a cheat to re-link it, but it's kind of pointless since it doesn't have any use and can be viewed easily in the European version...)

Here's the MAME cheat shortcuts:

  <cheat desc="Debug menu">
    <comment>Displayed after starting game from title screen</comment>
    <script state="run">
      <action>maincpu.pb@174101=(maincpu.pb@174101 | 80)</action>
    </script>
  </cheat>

  <cheat desc="Show hidden dev credits">
    <comment>Displayed after Data East logo</comment>
    <script state="run">
      <action>maincpu.pb@174101=(maincpu.pb@174101 | 02)</action>
    </script>
  </cheat>

Unused Girl Pictures

In the 'Debug Mode,' we see there are seven pictures per girl. However, there are only five stages per girl in the game! Indeed, two of the pictures are not normally used. It looks like there was a planned or removed (or present in another, undumped version?) non-nude version.

The pointer tables for the pictures start at 0x362C for the Japanese version, 0x3632 for Euro. The very first table with four pointers (one for each girl) is unreferenced by the code; immediately following it is another table with four entries, which IS referenced. The second set is, of course, the one actually used in the game. The entries in each of these tables point to another pointer table, which then link to the code to display each picture. The unused lists seem to be more 'safe,' with no references to the last couple, nude images. The picture lists that ARE used in the game are lacking two of the more conservative images, which makes them unused in our dumps.

If you want to use the safe/unused lists, here's a MAME cheat:

Japanese:

  <cheat desc="Use 'safe' images">
    <comment>Enable the unused picture list, which lacks nudity</comment>
    <script state="on">
      <action>temp0=maincpu.ow@35f2</action>
      <action>maincpu.ow@35f2=362c</action>
    </script>
    <script state="off">
      <action>maincpu.ow@35f2=temp0</action>
    </script>
  </cheat>

Euro:

  <cheat desc="Use 'safe' images">
    <comment>Enable the unused picture list, which lacks nudity</comment>
    <script state="on">
      <action>temp0=maincpu.ow@35f8</action>
      <action>maincpu.ow@35f8=3632</action>
    </script>
    <script state="off">
      <action>maincpu.ow@35f8=temp0</action>
    </script>
  </cheat>

  • 2015.01.31 05:01 by Ryou