Tuesday, April 4, 2023

Adventures in ASM II: Szechuan Sauce

tl;dr: I’ve made a NoCD crack for Si Chuan Sheng 2000. Download it here.


I’ve long been a fan of Shisen-shō, you know, the other mahjong solitaire game with the rectangular tile arrangement. Its slightly more complex rules probably doom it to always be the less-widespread of the two, but I think it’s much more fun when you have total knowledge of where all your tiles are (plus I’ve always been crap at finding things hidden in plain sight). So, when I first found out about Si Chuan Sheng 2000 through a series of uncommentated playthrough videos by Rubycored, I instantly knew I had to have it. For those who don’t know what I’m talking about – I presume the intersection of the “does not live in Taiwan” and “has never watched the playthrough” sets –, Si Chuan Sheng 2000 (or「四川省2000」in the original Chinese) is, I think, the only game I’ve ever seen that actually builds upon the original Shisen-shō that TAMTEX put out in 1989 as an excuse to see naked pixelated ladies by offering levels in the form of predetermined, carefully handcrafted puzzles. Developed and published by T-Time Tech & Art in Taiwan in 1998, a company that somehow not only still exists to this day but also still lists the game on their catalog, Si Chuan Sheng 2000 also features torch, dynamite and concrete blocks to spice up things and refresh the formula a bit (they work exactly as you’d expect). All in all it’s a very fun game, and indeed, not long after I first found out about the game, I managed to get my grubby hands on an ISO dump, which is now one of the pride pieces of my Internet Archive library.

The original Shisen-shō, released as
Match It outside Japan, isn’t an ancient
Chinese game from Sichuan, but rather a 1980s
pervert arcade game from Tokyo

Now, since I got the dump, I barely had any trouble installing and playing it, but I’m aware that my setup is anything but commonplace: I have winevdm installed, which means that the 16-bit installer stub ran normally on my 64-bit computer, and when the game turned out to have the age-old “insert CD to continue” DRM, I could just mount the image with WinCDEmu and play away. I could’ve just not cared and dealt with this annoyance every time I wanted to play, but DRM as a concept bothers me enough, and it getting in the way of me seamlessly playing the game whenever I want pushed me over the edge to do something about it. I found a really good YouTube tutorial that deals with patching CD DRM in Assembly and, much headdesking later, I managed to produce a working NoCD crack. I will spare you the details for two reasons: one, I didn’t have to do anything but extrapolate what the tutorial I linked explains in a much better way than I possibly could, and two, this was literally years ago, I’ve just procrastinated posting it online until now. The one thing I do remember that may be worth mentioning is that I found out that the only thing the game actually checks for is the existence of the SETUP.BMP splash file, so in theory you could burn it to a random CD-R full of other stuff and it’d still work, although why would you do that.

You can download the entire installation package with my crack here. I’ve also already substituted the 16-bit InstallShield setup stub with a 32-bit alternative made by AxXxB of the Old-Games.RU forums for your convenience, so that you don’t need to install winevdm just to install this one game.

If you’re from T-Time and you want to DMCA me for cracking and publishing your 25 year old game, please do! Show interest in your classic library! It’d cost you virtually nothing to rerelease your old games through virtual storefronts like GoG and I can’t be the only one who would definitely buy at least a couple of them! I’ll very gladly take the download link down if it means that we’ll be able to play this game and others like Jurassic Banqi legitimately again without having to scour Ruten and pay a fortune to proxy mailers!

Monday, February 6, 2023

Puzzle Game Archeology, or The Idiot, The Duck, The Misleading Title and a Cup of ASM

I was originally going to start this article by giving a crash course on the Mega Duck and its fellow budget Game Boy wannabes, but frankly it was too long and boring and didn’t bring anything new to the table. If the bizarre water fowl-related name doesn’t mean anything to you, I recommend watching Ashens’ delightful demonstration of the console before proceeding.

Anyway, onto the story! A gloomy hot summer afternoon last year, I decided to try out Mega Duck games at random. Eventually, I landed at one of the two multicarts made for the system, the Four in One (which unlike its sibling Five in One actually includes four distinct games instead of variations on two games), and as soon as the menu materialised on the tiny MAME window I knew the first game I wanted to check: Dice Block.

Dice Block, Dice Square,
who cares about consistency

This is probably a good time to mention that I’m a sucker for puzzle games. There’s just something about the easy to learn, hard to master thing that just tickles me the right way, and I’m always on the lookout for obscure puzzlers that time seems to have forgotten about. Dice Block is about as puzzly as a game title can get, and factoring in that like almost all Mega Duck games it was developed by Sachen, of whose prolific unlicensed NES output I am also an unabashedly big fan, you get my easiest decision of the year.

Starting the game, I was greeted with this screen:

…okay, so it seems like I’m in control of an arrow in a field of dice. Fair enough. I moved around and experimented a bit and found out two things: one, you move really slowly. Two, you can climb on dice. If you’re on the ground, you can walk onto a die displaying 1, and if you’re on a 1 die you can walk onto a 2 die, but when you get there and face the ground your arrow gets a big blinking X on top of it and you can’t move. Similarly, you can’t get to a 2 die from the ground. The A and B buttons don’t seem to do anything. What is the end goal here…? I walked around a bit more, trying to interact with the dice and do something when I came into a minor breakthrough: if you stand facing a die and press A, the die moves one square forward!

Progress!……?

Finally, something! I mean, something pretty much pointless that doesn’t give me any insight into the game’s objective, but still, better than nothing, I guess! With this newfound knowledge, I tried pushing a die with the 2 side up… and nothing happened. Huh. After faffing around with it a bit more, I decided to call it quits and search the Internet for answers. I mean, this is the 2020s, any old game that’s been dumped for enough time has at least one gameplay video somewhere, no matter how obscure, right?

Yeah, I wasn’t wrong. There were, indeed, a few YouTube videos with gameplay, some of them even on real hardware… All of them very very short, with the player just puzzledly meandering around the board with no idea what to do. Getting a bit desperate, I turned to Google and the Internet Archive, with the faint hope that someone would’ve scanned the manual, but it shouldn’t surprise you to know that nobody ever bothered to scan the leaflets and inlays of a game called Four in One for a system named Mega Duck. I did, however, manage to find a listing on a local eBay-like website of a loose cart for a relatively low price. In my desperation, I messaged the seller, telling them that if they had the manual or at the very least could teach me how to play Dice Block, I’d buy the cart (even though I don’t own a Mega Duck). The next day, in came the response… and yeah, the guy selling it was actually an used games store a few states away, and presumably after going through the same YouTube searches as me, they told me that they got the cart in a pile of old junk and they had no clue how to play it.

Eventually, though, just as I was losing the last remnants of hope, on page whatever of Google search results, I came across a Neocities website reviewing the Game Boy version of the game. This is a good time to mention that apparently, the Mega Duck was… a bit more Game Boy-like than other Chinese competitors, shall we say, and after its failure Sachen promptly ported all of their games – i.e. the entire console’s library bar one – to the Game Boy. And yes, someone on Neocities got ahold of one of its later Game Boy iterations, more specifically a colorised Game Boy Color multicart, and this is what they had to say about Dice Block:

I'd like to tell you what the gameplay involves, but it's frustrating and tedious. […] Kludgy movement aside, multiple attempts haven't helped me in working out the goal of this awful puzzle game.

OK, so a third attempt (yes, I'm thorough) seems to indicate you need to push a lower denomination into the next one up to destroy it, so that you only have ones left... maybe? The second screen has one, two and three dice, and a static monster. Experimentation, especially given the cacophonous public domain tune (which changed from the first level, but not for the better) didn't lead to any further enlightenment. Pity this cart didn't come with the manual, I'm sure it would've been helpful and thorough.

Push a lower denomination into the next one up to destroy it…? I fired up MAME, stood in front of a 1 die that followed a 2 die, pressed A, and… nothing. Nothing at all. Frustrated that the blogger’s flaky description was incorrect, I climbed on the 1 die and pressed A again… and, much to my surprise, this happened:

Wh. What.

So, to cut a long story short… When presented with a puzzle game involving dice on a board, naturally we think of Devil Dice, the beloved PlayStation and WonderSwan game in which you walk on dice turning them around. This isn’t Devil Dice because those are not dice. The name is a complete lie and the pips-on-a-die-face graphics are a purely stylistic choice. When you’re looking at this…

…you’re actually looking at this.

Diagram courtesy of Microsoft Visio 2003.

Once you understand that this is your situation, the rules become trivial. The guy can only climb and push blocks one at a time, the goal is to get all blocks on the ground. Bad design choices can make the simplest of games seem nonsensical.

Once I got the rules figured, I got to playing, and what would you know, it’s actually quite fun! Starting on level 2, besides the solitary company of the non-dice blocks, you also sometimes get monsters making funny faces at you. They can’t move, they can’t be killed and they can’t hurt you: all they do is get in your way, restricting your movements and making the puzzle more difficult.

And so I went on my merry way playing through the game. Like dare I say most Sachen games, I maintain that if it were brought to us by more beloved hands, perhaps with some flaws ironed out, it could well have been a cult classic. People may scoff at the stiffness of the controls and the blandness of the visuals, but if it were a mid-1990s flat-shaded 3D arcade game from a Japanese company, I bet that it would’ve sucked quarters right out of people’s pockets and we’d be talking fondly of it to this day. But I digress, as my dicey adventure ground to a halt as soon as I reached Zone 11.

Have you noticed that there’s a timer up in the HUD? The timer that the Neocities blogger quite sensibly described as “a rather generous overall timer in the top right corner”? Well, that timer may very well be overly generous on the first levels with its 300 seconds, but on Zone 11, it is very much the opposite. In fact, it is impossible to complete Zone 11 in five minutes. I traced the optimal path to clear the board on paper, did all the movements with no delay other than the inevitable trudging pace of the player arrow, and I always got timeout nowhere near the end. I suspect that initially the player’s movement was supposed to be much more nimble, but shoddy coding probably made it glitchy if you tried to move around too fast and the way to cut around the corner that was chosen by whatever poor sod that coded this game was just to make it slower, without taking into account whether the later levels were actually finishable after this change. This really bummed me out; the game was fun and dare I say addictive, but half of its levels were locked away by a game-breaking oversight…

There have never been
any ducks on this screen.

Then I had an idea. At the time I could barely call myself a hobbyist programmer: the most I could do were some sick Batch files to automate boring stuff and Z80 Assembly was clearly way out of my league, but… what if I tried to patch the timer out? MAME’s debugger is infamously bad, but there’s supposed to be a Game Boy port of the game around, and that system has a really good emulator and debugger – BGB. I looked for the Mega Duck ports dumps, and while most of them are on multicarts that use a custom mapper that is only supported by fringe emulators, luckily, probably because this was already a multicart in the first place, the dumped Game Boy version of Four in One – here, 4 in 1 Vol. 2, fully stripped of its bebilled mascot – is fully supported by BGB.

The first thing I did was try to isolate where exactly is the timer updating routine. Since 300 is more than 255, I reckoned that there would probably be two bytes in the memory allocated to the timer, and it would be stored in hexadecimal as usual. I whipped out BGB’s cheat searcher, took a snapshot of the RAM, let the timer run for a second or two, then searched for all values that went down. And wouldn’t you know…

Click to embiggen

257 in hexadecimal is 0x101, so 0xCB13 here looks promising with its value of 0x01, but alas, 0xCB12 was a completely different number. Now, if you look more closely at those addresses, you’ll find that 0xC10F is set to 0x07. Could it be…?

Lol. Lmao, even. The timer isn’t stored in hexadecimal. Instead, it’s in good old BCD, binary-coded decimal, probably to make it easier to point the Mega Duck to the right tiles to display on the HUD. I set an access breakpoint on address 0xC10F, and then running the game for less than one second pointed me right at the culprit: 0x2F4B, or ld C10F,a, i.e. copy the value stored on register a to the address 0xC10F. I changed it into a bunch of nops (i.e. do nothing) and voilà! The timer froze! I could not bloody believe it, but I’d just managed to successfully cut around a bug in Assembly using only the knowledge acquired watching time fodder like Coding Secrets, Retro Game Mechanics Explained and Sharopolis over the years. It’s stupid and it’s simple and it’s barely anything, but damn was I proud of my minor accomplishment.

I could’ve stopped right there, saving my work and producing an IPS patch, but then something passed through my mind – the Mega Duck was remarkably similar to the Game Boy, right? But… how similar, exactly? Well, when you boot up MAME’s Mega Duck core, you get this rather interesting screen:

That’s right. Driver: nintendo/gb.cpp. Apparently it’s so similar to the Game Boy that MAME cuts off the middleman and uses its Game Boy emulator to emulate the Mega Duck. Which makes me think: could the opcodes – the binary code – be generally the same? I opened the Mega Duck ROM on a hex editor, searched for the part right before the opcode that updates the timer on the Game Boy port, and lo and behold…

Peekaboo.

Incredulous, I changed the same three bytes to 0x00, popped the modified ROM in MAME and… it worked. Not only had I made a crude Game Boy romhack with barely any Assembly knowledge, I’d also made the first Mega Duck romhack ever with barely any Assembly knowledge. The game was now fully playable – with the obvious caveat that the time bonus had been rendered useless, but who cares about that. I could have gone further and changed the initial timer value to something way more generous like 600 seconds, but I’m happy with how it is, so that is left as an exercise to the reader.

At first, I was just going to post the patches here and call it a day, but I thought that maybe it would be good to actually tell my story beforehand, if only to get it across that you don’t need to be a Real Programmer™ to make small improvements to old games. I’m a humanities major who serves coffee for a living and I could do it, so definitely so can you.

The Game Boy patch can be found here and its Mega Duck counterpart is here.

Since we’re talking this much about Dice Block, I reckon I should also mention all passwords since I’m probably the first person to play the game through since… well, since the developer, really.

  1. 0001
  2. 1530
  3. 0220
  4. 1997
  5. 9779
  6. 7036
  7. 0607
  8. 2058
  9. 0104
  10. 4090
  11. 0310
  12. 3012
  13. 3003
  14. 7251
  15. 6893
  16. 4414
  17. 2320
  18. 1200
  19. 0203
  20. 1023

I started writing this post many months ago, but life and procrastination got the best of me. Hopefully I wasn’t too boring, but it’s 8:39 in the morning right now and I haven’t slept at all tonight, so there’s that. The next blogposts I’m planning will be more interesting, I hope, whenever I manage to write them. Thank you for reading and happy puzzling!

Uodate 2024-04-06: It has come to my attention that there is at least one earlier public Mega Duck romhack: Politics, a hack of Magical Tower by popehentai, published in April 2021. That being said, I’ll happily take the cake of first non-edgelord Mega Duck romhack :v

Adventures in ASM II: Szechuan Sauce

tl;dr: I’ve made a NoCD crack for Si Chuan Sheng 2000 . Download it here . I’ve long been a fan of Shisen-shō, you know, the other ...