Wow, I'm actually flattered that you would take the time to look at the old code! I know the saying goes "better late than never" but maybe 43 years is a bit too late! Thank you!

Didn’t expect one of the Ms. Pac-Man devs to come across this vid and answer this question, awesome! Just curious, when Ms. Pac-Man was still Crazy Otto, did the four monsters have their own names before they were mostly changed back when turning it into Ms. Pac-Man?

The real question is then, why bother lining up patch code with the 8 bit boundaries when it seems you had plenty of room left? I suppose making room for future changes or just trying to be efficient.

@@colinwood9717 In another reply, they explain that the video was wrong to say that that they had plenty of extra space. The PAL chips only offered 42 patches and they used all but two (paraphrasing from their comment; go find the original for details in case I got something wrong).

@@Eventlesstew in the first prototype we showed to Midway, we didn't have time to create a new attract mode. So we used the existing Pac-Man attract mode. Phil Kaaret (I think? might have been Chris Rode) changed the monster names and nicknames as follows: MAD DOG "PLATO" KILLER "DARWIN" BRUTE "FREUD" SAM "NEWTON" Once we signed the deal with Midway, they changed back to their original names. Then, once the hero character changed to female, we switched CLYDE's name. First it changed to BONNIE (get it? Bonnie & Clyde?) and finally to SUE, named after Doug Macrae's sister.

I'm sorry are you one of the actual devs??? Waow

having a look at the initial versions of the patches would be so cool!

I cannot imagine the feeling of watching a detailed, high-production-value analysis of someone (likely) correctly identifying the reasons behind quirks in your own code.

@@hanthonyc yes, well, I'm just sitting here thinking "We did what? Really? Ouch…"

@@kalamaike see my comment showing original code, confirming that we had it correct, and then messed it up…

Guy, don't blame yourself, it never mind is a big part of computer history - YOU are part of, grats and thanks for your work!!!

Oh that's awesome! Thank you for making such a wonderful iteration of Pac-Man, it's a hugely important part of video games history, and I always love hearing the perspective of developers who made these games. I have one simple question: What did working on these arcade hacks look like? Which is to say, what tools and hardware did you use to dump the ROM and modify it?

@@Dutchsnake5 you are most welcome! If you want to know more gory details about our game development, watch my Ms. Pac-Man Postmortem from GDC 2016. It's here on KZbin.

That sounds very interesting. I love Ms. Pac-Man!

Wait, I watched that analog shutdown video when I was a kid! That was you??

@@PhirePhlame yep that was me! Although there were several other NTSC shutdown videos. Wow long ago…

Oh! Thank you so much for posting this comment, I was genuinely wondering if he was okay, and wrestling with whether I should ask or not, and trying to figure out a way to ask that wouldn't just come across as annoying or nosy! Very glad to know that he's doing fine and it's just his "footnote voice" 😅

When you have "resting bitch face", but its your voice and not your face

This is my suspicion as well

this immediately comes to mind. They had to lay all this out manually. Today we could easily write code that could calculate the best way to get the most out of the patch space available that could run even on the hardware of the time but they didn't have software development techniques like this back then. The hardware has advanced a lot but the way we think about and program for any given hardware had advanced a lot as well.

I could understand that would be the case if they didn’t patch the two last ghosts at all, but why patch and waste two of those precious patch blocks on useless code the result of which gets overwritten in the next line? In my opinion it’s far more likely they calculated the position of the second patch relative to the first and used the same offset for the third and fourth patch, without even checking if it landed in the correct place

Same thing I thought. If you went through and knew there was a limit on the amount of patches you could do, you'd try to use as few as possible, and once they got to the end, they probably just saw that the game ran fine and didn't think about going back and changing those to use more patches. In a kind of "If it ain't broke, don't fix it" kind of way...

@@Astervista This is the most likely case. Anything else presumes that the authors decided to purposefully write a patch that was knowingly ineffective and less efficient than not patching anything at all. It would also require them to go out of their way to needlessly complicate their own patch code with the additional ld, jr, ld instructions.

A joke so bad it integer underflowed.

I could definitely believe this about Sue or Clyde, but Inky, Blinky, and Pinky always seemed so easygoing.

@@ZaurthurNice joke, but going from 0 to 255, or -128 to 127, is still considered a case of integer overflow. “Underflow” is a term only correctly used to refer to a different kind of error with floating point numbers.

@@photonicpizza1466 the amount I care about this distinction caused an arithmetic underflow.

@@photonicpizza1466 looking up the term "integer underflow", there are many articles that use the term and describe it to mean exactly what they intended it to mean. it seems that this is a term that is used and has that meaning.

Same!

Interestingly this is also how more advanced cheat engine cheats work.

The Insert ASM codetype for Gecko Codes (GCN and Wii cheat codes) do exactly this as well with unused memory in the reserved space for exception handlers. I've always heard the technique be referred to as a code trampoline.

This is how most nontrivial code changes in ROM hacks work. Since we don't have access to the original ASM code, it's not possible to reassemble the whole ROM, so it's much easier to just patch in a jump to a handler routine that can be written in empty space somewhere.

@@michaelcalvin42 yeah idk how else you'd add to already assembled code, it's just cool to be watching a video and all of a sudden they're describing a process that i spent a bunch of time independently figuring out how to do with basically no asm knowledge. my eyes lit up like "ooh yeah ive done that a few times! 😎" lol

IL Byte code? Are you talking about a different game? Minecraft is Java, not .NET.

@@animowany111 I suspect they meant JVM bytecode?

@@animowany111 .NET's bytecode is called CIL, not just IL. JVM bytecode is indeed an intermediate language. Saying "IL bytecode" is definitely redundant, though.

@@Purely_Andy The difference is that the CIL is often just called IL, especially in .NET-based game modding. Not helped by the fact the main disassembly tool used to be called ILSpy. I've never seen anyone refer to JVM bytecode as "IL" in practice, though. It is technically an intermediate language, but when someone says IL they usually either mean the intermediate language inside compilers like LLVM and GCC - in which case they usually specify further - or they are referring to the CIL, in which case "IL (byte)code" is in fact the common term.

Well, the JVM would at least fail in a much more useful way if you got something wrong. But I don't envy the task of *any* Java reverse engineering before the proliferation of Fernflower, and for Minecraft before Mojang/Microsoft started publishing mappings for their intentionally obfuscated code.

That’s a great idea!

I don't even know what Food Fight is, but I am now desperate to know how its instant replay feature works. RGME, please make it happen!

We would have to ask Jonathan Hurd (the developer/programmer) who could tell you for sure. But as I recall, the collision detection code watches to see how close Chuck came to dying, that is, how many pixels away from a collision (with food, manhole, anything that can kill you). And if you got "this close" without dying, that triggers instant replay. There was a bug during development, where sometimes Chuck would die during the instant replay! It was not being played back exactly the same as the real game. So, what's going on here? What is different with instant replay, vs actual game play? Well, during instant replay, there is music playing! (Thanks to amazing musician/composer Patty Goodson.) And the music playing was enough to tweak the timings of the game play. The fix IIRC was to ALWAYS play the music, but during normal game play the music volume is zero. I think. Maybe. It might be this was a bug in 7800 version of Food Fight, not the arcade. Wow so long ago…

@ Wow! Thank you so much for responding! I didn’t expect one of the original developers from GCE to show up, and yet, here we are. I would still like to know about it in more detail though, like how the game records the inputs and how it plays it back, e.t.c. Still though, thank you for answering.

@@sgolson I always thought the replay just happened every fifth level regardless of how you played it - so long as you completed the level, it would just play it back.

This would require the return address to conditionally be modified depending on whether the code was being executed for the first 2 ghosts or last 2 ghosts. In terms of the simplest z80 instructions needed for the operations, if you assume no overflow, it looks like you could do `POP HL; INC; INC; INC; PUSH HL`. That's 1+1+1+1+1 = 5 additional bytes. There's no direct way to add 3 as an immediate in z80. If you assume overflow is possible, you'd need to do `POP HL; LD DE, 3; ADD HL, DE; PUSH HL; which is 1+3+1+1 = 6 additional bytes. There is a 2 byte increment for 16-bit operations that would account for overflow, but that increment (INC ss) is 2 bytes long which would give you 'POP HL; INC HL; INC HL; INC HL; PUSH HL', which is 1+2+2+2+1 = 8 additional bytes. TLDR; looks like the cheapest is 5 or 6 additional bytes depending on whether the return address is at 16-bit boundary.

Adjusting the return address is slower and takes more effort to get right. They had enough rom space

@@snaphat Instead of using a CALL instruction to reach the GET_RAND_QUADRANT_INKY/SUE subroutines which ultimately fallthrough to GET_RAND_QUADRANT in order to return to the patch's insertion point, the subroutines for Inky and Sue could be written another way. Assuming Inky and Sue's random quadrant subroutine is only used in this place, a fixed jump instruction into a sequence of new instructions containing the hijacked instruction at the insertion point, a CALL instruction to the GET_RAND_QUADRANT subroutine, and another fixed jump back out to the desired location (skipping the unwanted instruction in the original code) would allow for the GET_RAND_QUADRANT subroutine to be reused correctly in a case where using two patches is not wanted.

​@@snaphatjust modify the return address immediately before the main routine, the same way the patches already worked

​@@Starwort Oops, apologizes, I wrote that very poorly. I didn't mean to imply it requires extra branch instructions. You get the 5 or 6 extra bytes depending on whether you need to handle overflow or not WITHOUT any additional branch instructions. In terms of where you'd place the instruction sequences, the proper place is directly above the GET_RAND_QUADRANT label

The CPU doesn't care and I have a framework I built to make it easy for my projects. Pretty enough. I'm more interested in clock cycles

This sentence makes no sense. What are you trying to communicate?

Happy birthday!

Happy birthday!

Happy birthday!

Given the official replies to this video, it seems I was sort of in the right general area, but pretty far off the mark. Thanks for the more specific info straight from the dev!

👀 emoji: them looking left

The way they could implement that is to replace the RET at the end of the hijack payload with POP HL, add 3 to it, check if HL points to Inky or Sue (and if so add another 3 to it), then JMP HL.

checking if HL points to Inky or Sue is not needed at all (and small correction - the return address needs to be incremented thrice, not twice)

​@@diskpoppyYou'd need to increment it for those two because you're not just skipping the CALL instruction, but also the subsequent LD instruction. But yeah, you're right, you'd need to increment it three times, then an additional three times for those two ghosts.

@@ENCHANTMEN_ oh right, forgot that they also share the code with Blinky and Pinky. that could also be remedied by Inky and Sue's hijack entry points CALLing the common code instead

Yep, your idea makes sense. If we had realized this bug, I bet that's how we would have fixed it. Now you've got me wondering what instructions we could have used!

Hm... $40 decodes to "LD B, B", which would be a NOP. Is that actually valid or illegal somehow? From what I see that is a valid NOP on both gameboy CPU and original Z80 - and probably would have been ideal filler here. Unless this CPU was special - such instructions are a typical place to insert vendor specific stuff, as $00 is already the "official" NOP.

@@divVerent No that wont work. Single byte nops wont fix the problem of the 3rd byte of the LD de instruction that can't be changed. If you nop out the first 2 bytes, the third byte will still do something

@@sgolson Probably the 2-byte long relative jump? Just make it jump over the stray byte to the instruction that's following it...

My mistake, I misread. The 3rd byte of these instructions was not $40. But indeed, JR would work.

Thanks for asking; I'll try and answer what I can. Wow, hard to believe this was over FORTY years ago…

A bus of framerules?

@@KernelLeak the bus _is_ the framerule i thought

Good for her

The process is called "disassembly". You can do it by hand using reference tables if you really want to, although this is only really practical for small pieces of code. The process can be automated to some extent using a program called a "disassembler", that supports the particular processor architecture the code was written for (in this case the Zilog Z80). They aren't fool proof, and will usually need some manual intervention in order to produce readable code eg. giving meaningful names to labels, identifying what is code and what is data. The more sophisticated disassemblers actually execute the code on an emulation of the target machine in order to determine whether particular sections of memory are code, data (or even both); they can even identify specific memory areas and give hints as to what the actual function of a routine is. eg. if it's writing to video RAM, reading input ports, writing to sound registers etc. Personally, I use SkoolKit for Z80 disassembly. It's primarily designed around disassembling ZX Spectrum programs, but it's open-source and can be adapted to most Z80 based platforms with a bit of work. However, for a first attempt at disassembling the Pac-Man arcade boards, you may want to start with a more generic Z80 disassembler.

@@gwishart Wow, thanks so much!

There is a romset out there called "mspacmab" (Ms. Pac-Man bootleg I suppose) that is essentially this but I'm unsure if it was ever implemented in hardware anywhere.

LOL

Probably just to prevent any accidental ambiguity, same reason there is no O or Q row.

@RGMechEx Aah, OK, now I can enjoy the rest of my life. Thanks muchly 👍🏽