Thursday, July 13, 2017

Cannonball Blitz for the Apple 2 driving me crazy

I remembered this old Apple 2 game called Cannonball Blitz and how impossible it was.



So why not try to fiddle with the mame debugger to get some extra lives. The game gives you a measly 3 lives.

./mame64 apple2e canbbltz -debug


It draws the number of lives in the upper left corner of the graphics screen, so let's set a watchpoint for address $2000.

wpset $2000,1,w

let it run and then do

history

and if you read the list of instructions you'll see a

lda $6f12



and if you open a memory window and change memory location $6f12 to something else, say $7F, you'll have 127 lives.

I tried $FF for 255 lives, but the code does a

9c01 dec $6f12
9c04 bmi $9c17

so anything larger than 127 seems to trigger the branch.

Setting up watchpoints on $6f12 with wpset $6f12,1,rw leads me to the code that initializes the number of lives:

868b lda #$02
868d sta $6f12






So let's just open up a memory window to 868b:



and change that 02 to a 7F:




So now at least I can keep trying to get past level 2... it only displays one character for the number of lives, so you'll only see the lower nibble of the number of lives.

Hey! I finally beat level 2 for the first time ever!



On to level 3!




Finally finished level 3!

I had to use the save state feature of mame, LEFT SHIFT+F7 and then 1 to save state into position 1, F7 to load state.

I saved it right at this spot and must've loaded it about 50 times.



You have to pause and then run under at two spots.



Seriously hard...but finished that level.




More silly fun, let's find where the score is stored.



In the mame debugger, we'll use the f command

So I didn't know exactly how to use it, so I typed "help memory".



One nasty side effect is that reading the memory where the soft switches that control the screen display will put you into text mode, which is easily fixed by restoring the save state with F7 (you did save a state, didn't you?)

So first I tried converting 32760 into hexadecimal for $7ff8, but I couldn't find that in memory, so I decided it must be stored as BCD, for 03 27 60.



It stores it in 9153 and 9156, 9153 seems to be a temporary shadow, 9156 seems to be the "real score".

Setting to FFFFFF gives you this crazy score.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)