River City Ransom
- Finding title logo sprite/bitmap data


(0)
Set a memory logging breakpoint at sprite vram.

hook_wr1 0 eb0000 eb0400


(1)
Load disks1/2 and the system will continue.
It will display a splash screen in text ASCII.

Wait until it almost turns black.
Hit 'INS'. Save state 0.
Turn on tracing with '/'.
Hit 'HOME'.

Wait until the kunio/riki sprites start moving on-screen.
Hit '.' to dump memory.


(2)
We get led to here:

; subtract xpos of sprites

<5350> 030102 : subq.w  #1, (A0)                    D0:000B001C D1:00000290 D2:0000DD70 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000000E CR:0246 A0:00EB0000 A1:00EB0190 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B5E SR:0026
<5048> 030104 : addq.w  #8, A0                      D0:000B001C D1:00000290 D2:0000DD70 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000000E CR:0246 A0:00EB0000 A1:00EB0190 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B5E SR:0026
<51C8> 030106 : dbra    D0, 30102                   D0:000B001C D1:00000290 D2:0000DD70 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000000E CR:0246 A0:00EB0008 A1:00EB0190 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B5E SR:0026


------>


; init sprite-ram

<32D8> 0300A8 : move.w  (A0)+, (A1)+                D0:000B00C7 D1:00000290 D2:0000DD70 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0080 A0:00058730 A1:00EB0000 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B76 SR:0027
<51C8> 0300AA : dbra    D0, 300a8                   D0:000B00C7 D1:00000290 D2:0000DD70 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0080 A0:00058732 A1:00EB0002 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B76 SR:0027

Compare the RAM location @ 58730 with the disk files.
Match inside DTW.X @ 30570-30700.


The BG.bin file shows us our sprites too.
Match inside LOAD.SPR

So now we've found our sprite data.


(3)

Examine the GRP-16A data for the logo.
We get a rough tile address.
Remember that it's 512-pixels wide.

Use memory logging point at GRP.
hook_wr2 0 c0c498 c0c4f8


Load emulator. Hit 'INS' when PC runs.
Load state 0.


[02:A7EE] W08 = 00 [C0C498]
[02:A7EE] W08 = 0F [C0C499]
[02:A7F0] W08 = 00 [C0C49A]
[02:A7F0] W08 = 0F [C0C49B]

; write to vram

<30C0> 02A7E8 : move.w  D0, (A0)+                   D0:0000000F D1:000001F6 D2:000009D6 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0046 A0:00C0C09A A1:00E00008 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020
<30C0> 02A7EA : move.w  D0, (A0)+                   D0:0000000F D1:000001F6 D2:000009D6 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0046 A0:00C0C09C A1:00E00008 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020
<30C0> 02A7EC : move.w  D0, (A0)+                   D0:0000000F D1:000001F6 D2:000009D6 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0046 A0:00C0C09E A1:00E00008 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020
<30C0> 02A7EE : move.w  D0, (A0)+                   D0:0000000F D1:000001F6 D2:000009D6 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0046 A0:00C0C0A0 A1:00E00008 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020
<30C0> 02A7F0 : move.w  D0, (A0)+                   D0:0000000F D1:000001F6 D2:000009D6 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0046 A0:00C0C0A2 A1:00E00008 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020


------>


<4282> 02A5BE : clr.l   D2                          D0:00000000 D1:00000000 D2:000013B4 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0040 A0:00C00000 A1:00E00000 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020

; VRAM offset (MSB)
; - 512 pixels wide, 16-bit NT

<3419> 02A5C0 : move.w  (A1)+, D2                   D0:00000000 D1:00000000 D2:00000000 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0040 A0:00C00000 A1:00E00000 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020
<E15A> 02A5C2 : rol.w   #8, D2                      D0:00000000 D1:00000000 D2:00003000 D3:00000000 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0040 A0:00C00000 A1:00E00002 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B78 SR:0020


------>


<227C> 02A37C : movea.l #$e00000, A1                D0:00000000 D1:00000000 D2:000013B4 D3:00000054 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0246 A0:00056680 A1:00E00000 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B7C SR:0020
<207C> 02A382 : movea.l #$c00000, A0                D0:00000000 D1:00000000 D2:000013B4 D3:00000054 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0246 A0:00056680 A1:00E00000 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B7C SR:0020
<4243> 02A388 : clr.w   D3                          D0:00000000 D1:00000000 D2:000013B4 D3:00000054 D4:0000007F D5:00000000 D6:0000001F D7:0000FFFF CR:0246 A0:00C00000 A1:00E00000 A2:00039A4A A3:FFFFFFFF A4:00028200 A5:00038FBE A6:00056300 A7:00061B7C SR:0020


This means that our file is being loaded to text vram (A1) as a memory cache.


Checking the registers, we find TITLE.GRN as the source.
Need to write an RLE unpacker.