Fixing The Munsters game

Pagina 1/2
| 2

Door SLotman

Paragon (1238)

afbeelding van SLotman

27-02-2011, 03:56

Some time ago, I received an email, telling me that the game "The Munsters" had a very nasty bug - the game freezes when you're about to go to stage 2.

I checked every dump available of the game - including the tape version from Martos, and they all lock once Frankenstein walks off screen (Check even tha map on MSX Solutions, it shows that screen as the game ending, when there are much, much more rooms that this bug prevent us to see!)

Debugging the game, I narrow it down to this routine

Unfortunately, I couldn't find the bug. I managed to "unlock" the problematic room: just change one byte where the room data is, and you will be able to walk on it - but the background graphics will be severely corrupt.

On BlueMSX, open the trainer and add this "cheat": address 24FF, value: 0. This will prevent the game from freezing, and if you' re playing the TAPE version, you'll see 2 rooms (probably those 2 uses the same room-data) corrupted, but you'll be able to play the game to the end.

But, if you're playing the DISK version, you also need to change: 2A3A, value 0. This will prevent the game from freezing again on the "Exit" room.

Beware, that some disk versions are even worst, and locks up on some rooms with no reason!

I compared the room data (first room starts at 12F0h and last room starts at 2FA2h) from the disk version with the tape version, and they're both the same, so I can't understand why the disk version freezes on this other room, and the tape one doesn't.

I really don't know if I'll put more time trying to fix the game (I don't even know where to go from here), so if anyone wants to take all that info, and fix it, please, be my guest :)

Anyway, with those "cheats" above, everyone will be able to reach the game ending B-)

Aangemeld of registreer om reacties te plaatsen

Van MäSäXi

Paragon (1884)

afbeelding van MäSäXi

27-02-2011, 14:43

Nice. Smile I was waiting if somebody would reply on only69´s news topic, where there was that The Munsters bug thing mentioned some weeks ago and if no reply comes, then I would start a topic about it.

I hope that either you or somebody else will find and fix that bug AND make a bug-fixing loader for original cassette game, so I could load my game on my MSX and get a chance to free other members of Munster family and get a chance to drive their super-Cool Hot Rod!! Big smilewww.myfishingpictures.com/data/500/MunsterKoach2c.jpg

Not everybody use just emulator, I wanna play and finish my original The Munsters cassette game At Last! :D

Van flyguille

Prophet (3028)

afbeelding van flyguille

27-02-2011, 20:59

checking, a idea of what is for those variableS?

Van flyguille

Prophet (3028)

afbeelding van flyguille

27-02-2011, 21:15

AF6B:   ld     (#aa6a),de      ; saves [de] for later use.
AF6F:   ld     l,a             ; a = index to some table (number of record), the table is a WORD matrix.
AF70:   ld     h,#00      
AF72:   add    hl,hl      
AF73:   ld     bc,(#aa74)      ; #aa74 has the start address of the beginning of the table.
AF77:   add    hl,bc           ; hl = pointer(#aa74) + a * 2

AF78:   ld     d,(hl)     
AF79:   inc    hl         
AF7A:   ld     e,(hl)          ; reads the record in the table that points [a]

AF7B:   ex     de,hl      
AF7C:   add    hl,bc           ; readed record = is an offset for navigate the same table. because that it needs to plus the beginning addr of the table.

AF7D:   xor    a          
AF7E:   ex     af,af'     
AF7F:   ld     b,(hl)     
AF80:   inc    hl         
AF81:   ld     a,b        
AF82:   or     a          
AF83:   ret    z      		; if the new record pointed has a ZERO, it escapeS!, it looks like a chained table terminated by a zero record.

    				; at this point, [hl] is on the high byte of the record tested.
AF84:   ld     de,#0000   
AF87:   srl    b          
AF89:   jr     c,#af91          ; if bit0 of low byte of the record tested is ZERO, then ... ; else DE = 0
	AF8B:   ld     e,(hl)     
	AF8C:   inc    hl         
	AF8D:   srl    b        ; ... moves original bit1 of low byte of the record into [d] bit0 moving the rest. 
	AF8F:   rl     d 	; it read the high byte of the record, move the index to the start of next record, 

				; resuming: E = high byte of the record tested ; 
				; resuming: D = 0 or 1 according of what bit1 of the record tested was!.

;WARNING if the record don't points to the other structure, HL= will not points to the start of the next record in the table chained.

;so if the record is not a END (#xx00) value, bit0 = a flag that indicates that itself is pointing to other data structure.
;it is a pointer of 9 bits, given by the high byte #xx *2 plus the original bit1 of the record being it the less valued bit.
;if the record is indicating not pointing to nothing, it returns DE = 0 , so it point to the start of the other data structure.
         
				; Once with the index pointing at the other data structure in DE.
         
AF91:   push   hl         	; saves the pointer to the record already tested of original table.
AF92:   ex     de,hl      
AF93:   ld     de,(#aa76) 	; the start addr of another table.
AF97:   add    hl,de     	; calculates the addr of a record in this another table. 

AF98:   ld     a,(hl)     
AF99:   ld     (#aa6c),a  	; Reads and saves from this another table. Must be a flag for later use. it is one byte element?.
AF9C:   sbc    hl,de            ; restore original offset to this another table.

   
AF9E:   add    hl,hl      
AF9F:   add    hl,hl      
AFA0:   add    hl,hl      	; offset = offset * 8.
AFA1:   ld     de,(#aa72) 
AFA5:   add    hl,de 		; Offset =+ #aa72   ; A THIRD STRUCTURE that uses the same index. so two structures coupled.
AFA6:   ex     de,hl      	; de= offset

AFA7:   ld     hl,(#aa6a) 	; RECOVERING the INPUT DE value when called the routine.


Van PingPong

Prophet (3759)

afbeelding van PingPong

27-02-2011, 21:23

the game is a spectrum port. maybe the original had the same bug? if not. maybe comparing both versions.... just an idea.

Van robertwilting

Champion (467)

afbeelding van robertwilting

27-02-2011, 21:55

Based on the information on the net, the spectrum version should allow you to play at least 4 stages.

http://www.the-tipshop.co.uk/cgi-bin/info.pl?wosid=0003329

Van flyguille

Prophet (3028)

afbeelding van flyguille

27-02-2011, 21:59

complete code analisys in 30min.


AF6B:   ld     (#aa6a),de      ; saves [de] for later use.
AF6F:   ld     l,a             ; a = índice a alguna tabla, la tabla es una matriz WORD.
AF70:   ld     h,#00      
AF72:   add    hl,hl      
AF73:   ld     bc,(#aa74)      ; #aa74 has the start address of the beginning of the table.
AF77:   add    hl,bc           ; hl = pointer(#aa74) + a * 2

AF78:   ld     d,(hl)     
AF79:   inc    hl         
AF7A:   ld     e,(hl)          ; reads the record in the table that points [a]

AF7B:   ex     de,hl      
AF7C:   add    hl,bc           ; readed record = is an offset for navigate the same table. because that it needs to plus the beginning addr of the table.

AF7D:   xor    a          
AF7E:   ex     af,af'     


JUMPPPBACK:

AF7F:   ld     b,(hl)     
AF80:   inc    hl         
AF81:   ld     a,b        
AF82:   or     a          
AF83:   ret    z      		; if the new record pointer has a ZERO, it escapeS!, it looks like a chained table terminated by a zero record.
    				; at this point, [hl] is on the high byte of the record tested.
AF84:   ld     de,#0000   
AF87:   srl    b          
AF89:   jr     c,#af91          ; if bit0 of low byte of the record tested is ZERO, then ... ; else DE = 0
	AF8B:   ld     e,(hl)     
	AF8C:   inc    hl         
	AF8D:   srl    b        ; ... moves original bit1 of low byte of the record into [d] bit0 moving the rest. 
	AF8F:   rl     d 	; it read the high byte of the record, move the index to the start of next record, 

				; resuming: E = high byte of the record tested ; 
				; resuming: D = 0 or 1 according of what bit1 of the record tested was!.

;WARNING if the record don't points to the other structure, HL= will not points to the start of the next record in the table chained.

;so if the record is not a END (#xx00) value, bit0 = a flag that indicates that itself is pointing to other data structure.
;it is a pointer of 9 bits, given by the high byte #xx *2 plus the original bit1 of the record being it the less valued bit.
;if the record is indicating not pointing to nothing, it returns DE = 0 , so it point to the start of the other data structure.
				
				; Once with the index pointing at the other data structure in DE.
         
AF91:   push   hl         	; saves the pointer to the record already tested of original table.
AF92:   ex     de,hl      
AF93:   ld     de,(#aa76) 	; the start addr of another table.
AF97:   add    hl,de     	; calculates the addr of a record in this another table. 

AF98:   ld     a,(hl)     
AF99:   ld     (#aa6c),a  	; Reads and saves from this another table. Must be a flag for later use. it is one byte element?.
AF9C:   sbc    hl,de            ; restore original offset to this another table.

   
AF9E:   add    hl,hl      
AF9F:   add    hl,hl      
AFA0:   add    hl,hl      	; offset = offset * 8.
AFA1:   ld     de,(#aa72) 
AFA5:   add    hl,de 		; Offset =+ #aa72   ; A THIRD STRUCTURE that uses the same index. so two structures coupled.
AFA6:   ex     de,hl      	; de= offset

AFA7:   ld     hl,(#aa6a) 	; RECOVERING the INPUT DE value when called the routine.

LOOPBACK:!!!!!!
AFAA:   push   bc         
	AFAB:   push   de         	; de = offset to the third data that has a record of 8 bytes.
	AFAC:   push   hl         	; hl = input value (pointer to a inputed data structure).
		AFAD:   ld     bc,#0024   ; STEP = 24.
		AFB0:   ld     a,(de)     
		AFB1:   ld     (hl),a     
		AFB2:   inc    e          
		AFB3:   add    hl,bc      
		AFB4:   ld     a,(de)     
		AFB5:   ld     (hl),a     
		AFB6:   inc    e          
		AFB7:   add    hl,bc      
		AFB8:   ld     a,(de)     
		AFB9:   ld     (hl),a     
		AFBA:   inc    e          
		AFBB:   add    hl,bc      
		AFBC:   ld     a,(de)     
		AFBD:   ld     (hl),a     
		AFBE:   inc    e          
		AFBF:   add    hl,bc      
		AFC0:   ld     a,(de)     
		AFC1:   ld     (hl),a     
		AFC2:   inc    e          
		AFC3:   add    hl,bc      
		AFC4:   ld     a,(de)     
		AFC5:   ld     (hl),a     
		AFC6:   inc    e          
		AFC7:   add    hl,bc      
		AFC8:   ld     a,(de)     
		AFC9:   ld     (hl),a     
		AFCA:   inc    e          
		AFCB:   add    hl,bc      
		AFCC:   ld     a,(de)     
		AFCD:   ld     (hl),a     ; It copys the record of that third structure, to the address space pointed by de when called the routine.
		AFCE:   ld     a,(#aa6c)  
		AFD1:   ld     (ix+#00),a ; WARNING IX = is also a INPUT value when called the routine.
	AFD4:   pop    hl         
	AFD5:   pop    de         

	AFD6:   inc    hl         
	AFD7:   inc    ix         
	AFD9:   ex     af,af'     
	AFDA:   dec    a          
	AFDB:   and    #1f        
	AFDD:   jr     nz,#afe3   
		AFDF:   ld     bc,#0100   
		AFE2:   add    hl,bc 
     
	AFE3:   ex     af,af'     
AFE4:   pop    bc         
AFE5:   djnz   LOOPBACK!!!!      

AFE7:   ld     (#aa6a),hl 
AFEA:   pop    hl              
AFEB:   jp     JUMPPPBACK




Ahhh no , no code bug, seems to be a data condition that does it to be in a infinite loop.

so hard to see., Maybe a stage data corruption, or untested player condition to avoid.

Van SLotman

Paragon (1238)

afbeelding van SLotman

28-02-2011, 02:20


Ahhh no , no code bug, seems to be a data condition that does it to be in a infinite loop.
so hard to see., Maybe a stage data corruption, or untested player condition to avoid.

It could be data corruption on the first room at 23E0h - but the second room (the one that only freezes on disk version) has the exact same data as the tape version, so it isn't corrupted.

Probably the code is overwriting the room data somewhere.

Van flyguille

Prophet (3028)

afbeelding van flyguille

28-02-2011, 13:39

well, for CPU hunging in that loop (looping and looping),

you needs to checks if there is the ZERO TERMINATED chained correcly.

then you needs to check if the chain is ok, that there is not a backward reference.

(in the structure pointed by #aa74)

will be usefull what are or for wath is used the three structures and the structure data inputed.

Van flyguille

Prophet (3028)

afbeelding van flyguille

28-02-2011, 13:45

a clue can be "what has a width of #24 (36 bytes)"? but only copies the first 8 bytes to that structure.

it is a prebuffered in RAM game??? I means first construct the stage in RAM then copy it to VDP?

Van dericorspoa

Supporter (1)

afbeelding van dericorspoa

21-11-2012, 11:55

Hello all. I am Brazilian and my name is Andre.

This game is part of the most incredible days I've had in the days of good old msx. Probably I am the only person who has this game on msx complete without errors. And the amazing thing was how I discovered it. At the time of the game I always sought hexadecimal sequences to find infinite energy and many things to facilitate the game. He wore changes from 10 to 10 "pokes" changing and getting hours testing. And it was in one of these threads I was testing (it was time for lunch and I spent all morning trying to) when I stopped by my uncle (Hugo), which amazingly he always liked to look only asked to play while I ate lunch. I remember well that told him, "let me restart the game that should have flaws it has 10 addresses modified in an attempt to find infinite energy" but he said no need, I'll play a little. The fact that he has impressed me want to play, but it was amazing when he finished the first stage of the game and called me saying they got through to the second stage.
Of course I did not believe, but when I saw that there was real! Imagine .. thousands of changes and he was just playing me for interrupt (hundreds of changes) in the right sequence and even more unbelievable changed to the correct value (of 256 possible) for me it is more unlikely than winning the lottery, much more.
I spent years away but it is something that never forgot my childhood and I would like to share my story before passing the (magic number) that unlocks the entire game without any error.
Interesting that the original scores that appear in the game has such a "software bug" .. making it seem that the game is out of the factory with such unintentional error. But that is speculation and we may never know.

But the important thing is that, yes, I am probably the only person that has this complete game for Msx and want to spend all of you, but the main thing for me is to share this amazing story that was so unintentionally discover but an absolute way unlikely for several circumstances.
I had already sent my story to Slotman (O code but not miraculous, hehe) but we had no more contact some years ago.

Extremely unlikely, but I swear totally real! Smile

Pagina 1/2
| 2