What's new

WIP: Knight's Chance Multi-Slot Attract Mode Fix

lithy

Student
Joined
Nov 8, 2024
Messages
56
Reaction score
105
Location
Pittsburgh, PA
Background: (Unimportant, blah, blah, blah) So I had decided that I wanted to learn just the tiniest little bit about looking at/reading/understanding some of the assembly code behind the games. I have no real background in anything that would make me assume that even the basics would be easy for me. I assume a 5 minute task for the right person might take me 5 weeks. I chose the smallest project I had interest in, patching Knight's Chance so that the attract mode advances to the next slot in a Neo Geo multislot board like the 'official' games do. I have cabs and I like to leave attract modes cycling and Knight's Chance has a great little attract mode, it's a shame that I never leave it in the cabinet because it ends up just repeating itself.

Goal (Small): Modify Knight's Chance P1 rom to allow the game to cycle in a multi slot Neo board. I have a paid digital copy and a bootleg cart. I have a Backbit cart that I should be able to use to test a modified P-rom with the ultimate goal to replace the P1 eprom on my bootleg cart.

Goal (Medium): Knight's Chance also doesn't seem to show the Neo Geo splash screen, modify to show Neo Geo splash

Goal (Large): Knight's Chance only shows High Scores at the Game Over conclusion of playing a game. Might be nice to at the very least rotate through one of the 4 high score screens during an attract cycle. The hold on the title screen is somewhat lengthy, it could take some of the time from that hold away so as not extend the length of each cycle further.

Mostly, this thread is just a place where I can 'work out loud'. Of course any suggestions or help are appreciated. I already got an assist from @nauman here, along with the smart suggestion to start a thread.
 
What I have managed so far was to start to try to understand how this table controlled the slot selection mechanic


$10FD81BIOS_SYSRET_STATUSbyteBIOSInternal value which stores the function code that SYSTEM_RETURN will call.
  • 0 : Init bram/select valid game for eye-catcher
  • 1 : Set the EL-LED to the correct value
  • 2 : Switch to the next slot, relaunch eye-catcher
  • 3 : After a gameover, save the playtime for bookeeping, switch to DEMO mode, reset the workbackup ram
  • 4 : Switch next slot (select p1 pressed)
  • 5 : Switch to previous slot (select p2 pressed)
  • 6 : Called after a coin deposit, does nothing

Then I decided to use Metal Slug just because I already had the rom for a comparison.

Here is what Metal Slug is doing at that bit with my notes on what the game doing at each watchpoint.
Code:
HBMAME debugger version 0.245.25 (2025-05-10)
Currently targeting mslug (Metal Slug - Super Vehicle-001)
>wpset 10FD81,1,w,wpdata !=0
Watchpoint 1 set
Stopped at watchpoint 1 writing 5555 to 10FD80 (PC=C13160) - Booting
Stopped at watchpoint 1 writing AAAA to 10FD80 (PC=C13184) - Booting
Stopped at watchpoint 1 writing FD80 to 10FD80 (PC=C131A6) - Booting
Stopped at watchpoint 1 writing 01 to 10FD81 (PC=C113D2) - Neo Geo Splash (#1: SYS_INT1, jump to system ROM, C11646/$C00438, #2: SYSRETURN, C113D2/$C00444
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11432) - Begin attract mode (title, demo, high scores)
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C1149A) - Attract mode ends
Stopped at watchpoint 1 writing 01 to 10FD81 (PC=C114BC) - Neo Geo Splash (kept for being sent to this by a different line, after this next attract mode to start is same as before)
Stopped at watchpoint 1 writing 06 to 10FD81 (PC=C11892) - Coin add break
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C114FC) - Game Start compulsion begins
Stopped at watchpoint 1 writing 03 to 10FD81 (PC=C1176E) - Game Start, through to game over
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11460) - Relaunch attract mode after game over

And here is what Knight's Chance is doing at the same bit also with my notes
Code:
HBMAME debugger version 0.245.25 (2025-05-10)
Currently targeting knightsch (Knight's Chance)
>wpset 10FD81,1,w,wpdata !=0
Stopped at watchpoint 1 writing 5555 to 10FD80 (PC=C13160) - Booting
Stopped at watchpoint 1 writing AAAA to 10FD80 (PC=C13184) - Booting
Stopped at watchpoint 1 writing FD80 to 10FD80 (PC=C131A6) - Booting
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11418) - Begin attract mode (Neobitz logo, demo, title)
Stopped at watchpoint 1 writing 06 to 10FD81 (PC=C11892) - Coin add break
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C114FC) - Game Start compulsion begins
Stopped at watchpoint 1 writing 03 to 10FD81 (PC=C1176E) - Game Start, through to game over
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11460) - Relaunch attract mode after game over

So, differences...Metal Slug writes another 2 at the end of the attract mode, I am not sure why it might do this since the bit doesn't seem to change during the attract mode, but it is a difference. Knight's Chance also never writes a 1 for the Neo Geo splash screen. nauman showed me that Knight's Chance is never sent back to C00444 where it would read the 2 and be able to move to the next slot.
 
What I need to figure out now, insert the jmp back to C00444 at the end of the Knight's Chance attract mode as suggested by nauman

So...how do I figure how what instruction is ending the attract mode and looping it back around to the beginning? I've determined that from a fresh boot of the game through one attract mode cycle lasts around 4500 frames (screen goes black on frame 4497, 2014 copyright disappears on frame 4498, neobitz logo begins to appear on frame 4532.

These instructions are right after the first write of the bios status, is the jsr to $c12390 the start of the attract mode? If so can I maybe find the end of the attract mode where it send it back to $c12390 again?

Code:
C11418  move.b  #$2, ($a81,A5)                              1B7C 0002 0A81
 C1141E  jsr     ($f70,PC) ; ($c12390)                       4EBA 0F70
I did find that the instructions change from frame 4497 to 4498, so that would seem to be the break.

4497 takes this break, 4498 does not
000220 bmi $228 6B06
 
Last edited:
I really like your energy to learn more :)

So.. i spent a few hours this morning analyzing the game and I can now be bold enough to promise that the issue can be resolved with a small patch.
Tried to upload a gif showing this but my knowledge does not lay in video/uploading so you just have to believe me :D

Since you are open to learn, I will support you in this journey but not tell you straight away how to do it.
While no method of debugging is wrong, I would encourage you to use a decompiler like Ghidra to see more into what assembly instructions are actually executing. With that help, you can then use Mame to set breakpoints since the address-space is very static compare to software for Windows etc.

Here is some brief instructions how to get going with Ghidra:
  • Swap the endian of the rom:
    Code:
     dd if=kc_p1_mod.rom of=kc_p1_mod.rom.bigendian conv=swap
  • Open the swapped binary in Ghidra, choose a default 68k cpu. Since the game actually starts a offset 0, we do not need to add a memory map, but add the following if you want to:
1754128257117.png


Next, you want to identify a entry-point, which in this case is the USER-function that is always placed at 0x122 on the cartridge. this is a jump-instruction so we have to follow it to the real function. If you end up in the correct location you are going to see the following (but minus the names I added for myself):
1754128809225.png


And I am gonna leave you here for now and say... don't give up. Take a break, but never give up :)

A final tip on the way, the same address you see on the left can be used in Mame with
Code:
bpset 0x0000026c
To modify the binary I used HxD, but again, use the tools you like, these are just my choices.
 
What I have managed so far was to start to try to understand how this table controlled the slot selection mechanic


$10FD81BIOS_SYSRET_STATUSbyteBIOSInternal value which stores the function code that SYSTEM_RETURN will call.
  • 0 : Init bram/select valid game for eye-catcher
  • 1 : Set the EL-LED to the correct value
  • 2 : Switch to the next slot, relaunch eye-catcher
  • 3 : After a gameover, save the playtime for bookeeping, switch to DEMO mode, reset the workbackup ram
  • 4 : Switch next slot (select p1 pressed)
  • 5 : Switch to previous slot (select p2 pressed)
  • 6 : Called after a coin deposit, does nothing

Then I decided to use Metal Slug just because I already had the rom for a comparison.

Here is what Metal Slug is doing at that bit with my notes on what the game doing at each watchpoint.
Code:
HBMAME debugger version 0.245.25 (2025-05-10)
Currently targeting mslug (Metal Slug - Super Vehicle-001)
>wpset 10FD81,1,w,wpdata !=0
Watchpoint 1 set
Stopped at watchpoint 1 writing 5555 to 10FD80 (PC=C13160) - Booting
Stopped at watchpoint 1 writing AAAA to 10FD80 (PC=C13184) - Booting
Stopped at watchpoint 1 writing FD80 to 10FD80 (PC=C131A6) - Booting
Stopped at watchpoint 1 writing 01 to 10FD81 (PC=C113D2) - Neo Geo Splash (#1: SYS_INT1, jump to system ROM, C11646/$C00438, #2: SYSRETURN, C113D2/$C00444
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11432) - Begin attract mode (title, demo, high scores)
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C1149A) - Attract mode ends
Stopped at watchpoint 1 writing 01 to 10FD81 (PC=C114BC) - Neo Geo Splash (kept for being sent to this by a different line, after this next attract mode to start is same as before)
Stopped at watchpoint 1 writing 06 to 10FD81 (PC=C11892) - Coin add break
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C114FC) - Game Start compulsion begins
Stopped at watchpoint 1 writing 03 to 10FD81 (PC=C1176E) - Game Start, through to game over
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11460) - Relaunch attract mode after game over

And here is what Knight's Chance is doing at the same bit also with my notes
Code:
HBMAME debugger version 0.245.25 (2025-05-10)
Currently targeting knightsch (Knight's Chance)
>wpset 10FD81,1,w,wpdata !=0
Stopped at watchpoint 1 writing 5555 to 10FD80 (PC=C13160) - Booting
Stopped at watchpoint 1 writing AAAA to 10FD80 (PC=C13184) - Booting
Stopped at watchpoint 1 writing FD80 to 10FD80 (PC=C131A6) - Booting
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11418) - Begin attract mode (Neobitz logo, demo, title)
Stopped at watchpoint 1 writing 06 to 10FD81 (PC=C11892) - Coin add break
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C114FC) - Game Start compulsion begins
Stopped at watchpoint 1 writing 03 to 10FD81 (PC=C1176E) - Game Start, through to game over
Stopped at watchpoint 1 writing 02 to 10FD81 (PC=C11460) - Relaunch attract mode after game over

So, differences...Metal Slug writes another 2 at the end of the attract mode, I am not sure why it might do this since the bit doesn't seem to change during the attract mode, but it is a difference. Knight's Chance also never writes a 1 for the Neo Geo splash screen. nauman showed me that Knight's Chance is never sent back to C00444 where it would read the 2 and be able to move to the next slot.
Just a quick tip when reading this debug. If you see PC=Cxxxxx, that is, starting with a 'C', that is actually mapped to the Neo Geo memory map shown here
So.. 'C' is equal "System ROM", which is the BIOS. If you saw a PC starting with a 0 you would know it is the P-ROM writing/reading, which is the game/cartridge.

Neither game is modifying this memory space, and that is expected since this value is an BIOS internal registry to keep up with the 'next step' of actions.
The main issue with Knights Chance is that it never returns the execution to the BIOS, and therefor this value is never 'used", even if it is correct.
 
Neither game is modifying this memory space, and that is expected since this value is an BIOS internal registry to keep up with the 'next step' of actions.
The main issue with Knights Chance is that it never returns the execution to the BIOS, and therefor this value is never 'used", even if it is correct.

The part above hit me while I laid in bed last night and I was just coming back to post it! You obviously explained it in your post in the Final Vendetta thread but I just didn't quite comprehend it late last night when I put up my posts. But now understanding that what I was seeing as Metal Slug 'writing' a 2 again to $10FD81 at the end of the attract mode (and thinking it was the game rom doing this even though it was already set to 2) instead was the game rom sending control back to the system rom (jumping to c00444), then once there, the bios writes the bit and then checks it. Anything I'm still missing?

I appreciate the no spoilers (for now at least lol ;)). Hopefully you won't get bored while I fumble around. And thanks so much for the tools suggestions, I have family in town for a couple days so might not have time to stare at it but I will definitely come back and give it some more attention.
 
Back
Top