This page is a mirror of Tepples' nesdev forum mirror (URL TBD).
Last updated on Oct-18-2019 Download

NESRevPlus

NESRevPlus
by on (#92502)
Since we haven't seen an update for Kent Hansens great "NESRev" for quite some time (It seems to have vanished from the internet aswell, almost anyway), I've decided to port NESRev's java-code to Windows .NET.
My plan is to keep the tool updated and use a modern GUI instead of a commandline.
I hope Kent Hansen won't mind..
Progress is good and I'm almost done with the initial port and expect to release a beta soon.
Let me know if you have any cool ideas of features to add. :)

Until then, here's a screenshot of what's coming:
Image[/img]

For the latest version:
http://nes.goondocks.se

by on (#92504)
What's "NESRev"? From a picture I can guess it's some dissamblery tool.
Will it work with other mappers than NROM?How accurate it is? I mean, how accuretly it can separate Code from Data? Can data be saved as separate file and be assembled in one of assemblers?
Sorry for so many questions, but this is really good stuff. :D

by on (#92505)
And will you have someone testing it with Mono?

by on (#92507)
Denine wrote:
What's "NESRev"? From a picture I can guess it's some dissamblery tool.
Will it work with other mappers than NROM?How accurate it is? I mean, how accuretly it can separate Code from Data? Can data be saved as separate file and be assembled in one of assemblers?
Sorry for so many questions, but this is really good stuff. :D


1. NESRev is a 6502 program disassembler made by Kent Hansen, known as Snowbro. His last work was a nice 6502 program called "DPad Hero".

2. NESRev is a different disassembler. While every disassembler threats all the data as "code", NESRev separates what's "program code" from what's "table".

3. NESRev was developed with mapper 0 in mind, so it had a few games fully disassembled, but the source code could be recompiled without problems.

4. It's kinda hard to say, since mappers other than NROM do bankswitching, making the things quite complicated.

by on (#92512)
What's the difference between NESRev and CDL-assisted disassembly? How does NESRev tell "data table" from "jump table"?

by on (#92523)
For the curious, I might link to my own "clever-disasm", provided with nescom.
It provides table-aware disassemblies like this.
- http://bisqwit.iki.fi/jutut/mariobros-disasm.asm : Mario Bros. without configuration ("out of box")
- http://bisqwit.iki.fi/jutut/lunarball.lst : Lunar Ball, with configuration (RAM & ROM labels) -- configuration file: http://bisqwit.iki.fi/jutut/lunarball.map
It has understanding of a few mappers such as MMC1, MMC3 and UxROM.
I have not really made noise about it, but I have used it personally for many of my reverse engineering projects, mostly for TAS purposes. I usually tweak the source code when I need something changed, such as support for a new mapper or a new kind of data suffix routine.

by on (#92539)
tepples wrote:
What's the difference between NESRev and CDL-assisted disassembly? How does NESRev tell "data table" from "jump table"?


NESRev traces all code that's executed (in most cases anyway) on it's own. So no need to play through the *entire* game first (as you have to do with the CDL...)

by on (#92540)
Unless you have an entire emulator embedded in the disassembler, you can't possibly trace all executable code... There's always stuff that's called through pointers, code that's copied to RAM (will look like data to a disassembler) and stuff like that.

by on (#92624)
Here's my first beta-release. Feel free to check it out. At the moment it is only capable of disassembling 16K games (just like the original NESRev).

It's for Windows and requires .NET framework 3.5:

http://dl.dropbox.com/u/2590713/anes/NESrevPlus.zip

by on (#92982)
NESRevPlus now have a place on the world wide web.. :)
http://www.anes.se/nestools/

by on (#93938)
Hey, I like this tool a lot, but limiting the input format to .NES isn't so great. NSF, BIN, or *.* would be nice too.

by on (#93942)
Thanks for the feedback. Nice to know someone's actually using it. :)

by on (#93974)
I used it for Wild Gunman, so thanks!

by on (#94708)
I'm working on the next version of NESRevPlus.. Anyone with some excellent ideas for improvement? :)

by on (#94718)
Possible Features:

Detection of ''JMP (Addr)'', or opcode $6C, while defining addresses by hand
Variable and Zero-Page Definition support
Use .ORG support for split banks
8Kb through 32Kb PRG ROM Banking Emulation support,
1Kb through 8Kb CHR ROM Banking Emulation support,
Export CHR ROM and PRG ROM to seperate files according to mapper-based banksize defines

by on (#95100)
I've uploaded v0.3b that supports 32K NROM's. Link is in my first post.

by on (#95102)
Tried new version on my NROM-128 game. It seperated a lot of the data and stuff well, but it just missed some arrays badly and combined 2 seperate arrays that were used in the same subroutine or someting but used in completely different rays. One of them was at the very beginning of my data file, and it combined these arrays:

Code:
RLEPointersHigh:
  .db HIGH(MainNametable)
  .db HIGH(TitleNametable)
  .db HIGH(OpeningNametable)

RLEPointersLow:
  .db LOW(MainNametable)
  .db LOW(TitleNametable)
  .db LOW(OpeningNametable)

MainNametable: .incbin "Screens/RLECompressedMainScreen.bin"
TitleNametable: .incbin "Screens/RLECompressedTitleScreen.bin"
OpeningNametable: .incbin "Screens/RLECompressedOpeningScreen.bin"


and the call for those two beginning arrays is this, away from other data completely:

DecompressToPPU:
LDA RLEPointersLow,X
STA <DecompressDataPointer
LDA RLEPointersHigh,X
STA <DecompressDataPointer+1

And in the data for the disassembly, it produces:

Code:
LC000:
.DB $C0,$C2,$C4
LC003:
    ;1606 bytes
.DB $06,$BE,$C2,$01,$01,$25,$02,$09,$01,$14,$05,$08,$01,$0A,$02
(All other .db statements here.)


So it combines the one array with the files it points to for some reason, which I think may be a mistake because the array access shouldn't affect it. I think a key to making this work well would be having a cal register value range from an emulator being included to help separate those arrays while playing the game. But honestly, it works damn well, I think it's a great tool to reverse engineer games and I'm sure the person that will be studying the games code when released will be able to figure it out so it may hurt, but I don't believe it will cripple it at all. Good luck improving it! :)

by on (#95107)
I have pretty much the exact same impression.

This:
Code:
   .org $C000
met16header:
   .dw met16sets_bank00
met32header:
   .dw met32sets_bank00
metscreenheader:
   .dw metscreensets_bank00
metlevelheader:
   .dw metlevelsets_bank00



ended up as:

Code:
LC000:
   DC.B $08,$C0,$12,$C0
LC004:
   DC.B $1A,$C0
LC006:
    ;3102 bytes
   DC.B $1E,$C0,$22,$C0,$50,$C0,$7E,$C0,$AC,$C0,$DA,$C0,$08,$C1,$45
   DC.B $C1,$82,$C1,$BF,$C1,$FC,$C1,$4C,$C2,$75,$CB,$79,$CB,$00,$FE
   DC.B $80,$84,$87,$FE,$84,$FE,$FE,$87,$00,$89,$8A,$FE,$8D,$00,$FE
(Removed for brevity)


I'm puzzled by the how the header labels ended up being divided. Absolutely everything past that is read through at least one layer of indirect indexed, so I didn't expect it to be picked up and separated.

Relevant code to the header labels.

Code:
;"reserved" variables are zero page temp RAM.
   lda met16header
   sta reservedE
   lda met16header+1
   sta reservedF


In another location:

Code:
   lda met16header
   sta reserved0
   lda met16header+1
   sta reserved1


Code:
   lda met32header
   sta reservedE
   lda met32header+1
   sta reservedF


Code:
   lda metscreenheader
   sta reserved0
   lda metscreenheader+1
   sta reserved1


Code:
   lda metlevelheader
   sta reserved0
   lda metlevelheader+1
   sta reserved1


After each I read indirectly, but some of them set y in various ways before the read. I could imagine if the whole thing was one giant block, or if it was each header's two bytes, then a solid block, or if it was single a label per each byte of the header. How it is now with the first two headers together, then one more, then the last in the block totally puzzles me.

I haven't really dived in to see how close it got with the rest of my data in this game, but I'm pretty impressed.

I never posted, but I tried the old version with a smaller game (since then it didn't support this one's size) and read through a lot more than this one and it did extremely well with what I checked.

Last note: I get an unhandled exception every time I minimize the program with a disassembly open. It minimizes fine before it opens a rom, though.
Re: NESRevPlus
by on (#112438)
I'm thinking about a new feature for NESRevPlus.. Some sort of graphical view that separates all subroutines and visually displays how they relate to eachother. Similar to a database-diagram.
However, the problem I'm having is how to do this visually. Anyone has any ideas how to solve this?
Re: NESRevPlus
by on (#112441)
Do you want me to dig out the Python code that I used to make the call graph of Thwaite?
Re: NESRevPlus
by on (#112448)
I have no experience of Python sadly..