Memory Map
Revision as of 10:00, 28 July 2015 by Wikia>WurlyFox (→Crash 1)
A memory map is essentially a table of associations between addresses in a binary executable and descriptions of the data and/or code they locate.
Crash 1
Currently incomplete.
"ROM" - (these locations refer to constant, read-only data) | ||
Address | Description | Size |
0x514DC | subsystem tables | 21 x 28 bytes |
0x51728 | character table for EID decoding | 64 x 1 byte |
0x51768 | zero vector | 3 x 4 bytes |
0x51774 | texture regions map | 600 x 4 x 2 bytes |
0x52A34 | precomputed list of (x,y) byte pairs sorted by euclidian distance | 152 x 2 x 1 byte |
0x52B64 | structures describing player angle and displacement for each controller direction | 16 x 3 x 4 bytes |
0x52C24 | structures describing player velocity per state (on ground, in air, etc.) | |
0x52CA4 | used by GOOL VECB | 4 x 4 bytes |
0x52CB4 | percentages used to scale a monochromatic color for GOOL VECB subop. 1 | 12 x 4 bytes |
0x52CE4 | ? | 16 x 1 byte |
0x52CF4 | circle bitmap (used for wall detection) | 128 bytes (32x32 bits) |
0x52D74 | ? (referenced by sub_8002EC68 TBD) | 84 x 4 bytes |
0x52EC4 | array 1 (unknown) | 14 x 4 bytes |
0x52EFC | array 2 (unknown) | 10 x 4 bytes |
0x52F24 | array 3 (unknown) | 11 x 4 bytes |
0x52F50 | array 4 (unknown) | 11 x 4 bytes |
0x52F88 | array 5 (unknown) | 19 x 4 bytes |
0x52FD4 | array 6 (unknown) | 32 x 4 bytes |
0x53054 | array of 6 pointers to the above arrays(referenced by sub_8002EC68 TBD) | 6 x 4 bytes |
0x5306C | sin/cosine table | 1042 x 2 bytes |
0x53890 | reserved for various library (gpu and etc?) routines | 4876 bytes |
*0x54A20 | pointer for generating the current drawing primitive packet | 4 bytes |
0x54B9C | square root table | 192 x 2 bytes |
0x54D1C | atan2 table | 2052 bytes |
0x55520-0x563F8 | reserved for cd-rom (and spu?) routines | |
"RAM" | ||
global variables | ||
0x563FC: gp[0] | ? | |
0x56400: gp[0x4] | ? | |
... | ||
0x56420: gp[0x24] | frame buffer destination X | |
0x56422: gp[0x26] | frame buffer destination Y | |
0x56424: gp[0x28] | frame buffer destination W (inited in binary with 0x100) | |
0x56426: gp[0x2A] | frame buffer destination H (inited in binary with 0x80) | |
0x56428: gp[0x2C] | quit game flag (will break game loop) | |
... | ||
0x56440: gp[0x44] | depth cuing matrix used by sub_80019F90 | |
0x56444: gp[0x48] | ^ | |
0x56448: gp[0x4C] | ^ | |
0x5644C: gp[0x50] | ^ | |
0x56450: gp[0x54] | ^ | |
0x56454: gp[0x58] | ^ | |
0x56458: gp[0x5C] | ^ | |
0x5645C: gp[0x60] | ^ | |
0x56460: gp[0x64] | ??used by sub_2EC68 | |
0x56464: gp[0x68] | ??used by sub_2EC68 | |
0x56468: gp[0x6C] | ??used by sub_2EC68 | |
0x5646C: gp[0x70] | ??used by sub_2EC68 | |
0x56470: gp[0x74] | ??used by sub_2EC68 | |
0x56474: gp[0x78] | ??used by sub_2EBB4* EDIT: ALSO USED BY ALT PRIM ROUTINE 19DE0 | |
0x56478: gp[0x7C] | ??used by sub_2EBB4 EDIT: ALSO USED BY ALT PRIM ROUTINE 19DE0 | |
0x5647C: gp[0x80] | ??copied to stack and unused during path routine; byte of 0x80 followed by 3 zero bytes | |
0x56480: gp[0x84] | ??pointer to scratch[0x40] | |
0x56484: gp[0x88] | zero ??? | |
0x56488: gp[0x8C] | ??pointer to scratch[0x40] | |
0x5648C: gp[0x90] | zero ??? | |
0x56490: gp[0x94] | ? see ldat initb/253a0 | |
0x56494: gp[0x98] | ? see ldat initb/253a0 | |
0x56498: gp[0x9C] | "0b_pZ\0" string used by demo routine (extends to gp[0xA0]) | |
0x5649C: gp[0xA0] | ^^^^^^^^^^^^^ | |
0x564A0: gp[0xA4] | ??? inited with 0 | |
0x564A4: gp[0xA8] | camera Z trans due to 'lookback' (i.e. moving forward or backward) | |
0x564A8: gp[0xAC] | camera Z trans due to nearby Z section 'scale' | |
0x564AC: gp[0xB0] | flag for camera 'lookback' (i.e. camera Z trans'ed forward due to moving forward (clear) or trans'ed back due to moving back (set)) | |
0x564B0: gp[0xB4] | flag for camera 'pan X' (i.e. camera X trans'ed left due to moving left (clear) or trans'ed right due to moving right right (set)) | |
0x564B4: gp[0xB8] | camera Y trans due to nearby Y section 'scale' | |
0x564B8: gp[0xBC] | camera X trans due to 'pan X' (i.e. moving left or right) | |
0x564BC: gp[0xC0] | land offset? (how high crash sits atop nodes before being stopped by them) | |
... | ||
0x564DC: gp[0xE0] | random seed (inited to 1) | |
0x564E0: gp[0xE4] | "CD001" string used by filesystem read routine (2F8C4) | |
... | ||
0x56500: gp[0x104] | ? see mdat initb (inited with 1) | |
0x56504: gp[0x108] | "0b_pz" string (EID string for game over screen/zone) (extends to gp[0x10C]) | |
0x56508: gp[0x10C] | ^^^ | |
0x5650C: gp[0x110] | "0c_pz" string (EID string for main menu screen/zone) | 2 x 4 bytes |
0x56514: gp[0x118] | "0d_pz" string (EID string for Naughty Dog screen/zone) | 2 x 4 bytes |
0x5651C: gp[0x120] | "0e_pz" string (EID string for options/password/load game menu/zone) | 2 x 4 bytes |
0x56524: gp[0x128] | "0f_pz" string (EID string for 6th zone in map model) | 2 x 4 bytes |
0x5652C: gp[0x130] | "1e_pz" string (EID string for first island (before end) zone in map model) | |
0x56534: gp[0x138] | "1a_pz" string (EID string for first island (at end/native fortress) zone in map model) | |
0x5653C: gp[0x140] | "2b_pz" string (EID string for second island zone in map model) | |
0x56544: gp[0x148] | "3a_pz" string (EID string for third island zone in map model) | |
0x5654C: gp[0x150] | "0a_pz" string (EID string for Entertainment America & Universal Interactive Screens/zone) | |
0x56554: gp[0x158] | "%cMapP" EID string to grab the entries in sequence used for palette fading | |
0x5655C: gp[0x160] | "0MapP" EID string used to grab the first palette entry in sequence for a palette fade | |
... | ||
0x565C0: gp[0x1C4] | camera speed/most recent change in section progress | |
... | ||
0x565DC: gp[0x1E0] | small slope flag? | |
.... | ||
0x56664: gp[0x268] | ? used by GOOL MSC | |
.. | ||
0x56678: gp[0x27C] | ? see mdat postinit | |
... | ||
0x566AC: gp[0x2B0] | 0x1F800180 | |
0X566B0: gp[0x2B4] | EID of crash code entry | |
0x566B4: gp[0x2B8] | crash process | |
0x566B8: gp[0x2BC] | SLST decoded buffer temp (used for swap) | |
0x566BC: gp[0x2C0] | SLST decoded back buffer (swapped with front buf, gp[0x304]) | |
... | ||
0x566C4: gp[0x2C8] | event descriptor for '(software) memory card: end of i/o' | |
0x566C8: gp[0x2CC] | event descriptor for '(software) memory card: error happened' | |
0x566CC: gp[0x2D0] | event descriptor for '(software) memory card: timeout' | |
0x566D0: gp[0x2D4] | event descriptor for '(software) memory card: new device' | |
... | ||
0x566E0: gp[0x2E4] | MDAT page, structure used by titles | |
0x566E4: gp[0x2E8] | ? zeroed at ldat initB | |
0x566E8: gp[0x2EC] | ? zeroed at ldat initB | |
0x566EC: gp[0x2F0] | event descriptor for '(hardware) memory card: end of i/o' | |
0x566F0: gp[0x2F4] | event descriptor for '(hardware) memory card: error happened' | |
0x566F4: gp[0x2F8] | 0x1F800100 | |
0x566F8: gp[0x2FC] | event descriptor for '(hardware) memory card: timeout' | |
0x566FC: gp[0x300] | event descriptor for '(hardware) memory card: new device' | |
0x56700: gp[0x304] | SLST decoded front buffer (swapped with back buf, gp[0x2C0]) | |
0x56704: gp[0x308] | some demo mode gool process? | |
0x56708: gp[0x30C] | ? | |
0x5670C: gp[0x310] | 0x1F800380; refers to scratch[0x380], circle bitmap is copied from 0x52CF4 to here in BINF init routine | |
------- | ||
0x56710 | current level ID | 4 bytes |
0x56714 | next level ID (for changing levels) | 4 bytes |
... | ||
0x56804 - 0x56E64 | structures describing SPU hardware voices | 24 x 0x44 bytes |
... | ||
0x57054 | controller data | |
... | ||
0x57280 | ? initially 0; | 4 bytes |
0x57284 | ? initially 0; | 4 bytes |
0x57288 | ? initially 0; | 4 bytes |
0x5728C | 8 wavebank entry EIDs? | |
... | ||
0x57298 | 4 null EIDs | |
... | ||
(for hword matrices only first 9 hwords used, last 7 are padding for align to 32 bytes) | ||
0x577C4 - 0x577E4 | viewpoint rotation matrix (including translation by viewpoint translation vector) | 16 x 2 bytes |
0x577E4 - 0x57804 | viewpoint rotation matrix negated and scaled 5/8s for Y, negated for Z | 16 x 2 bytes |
0x57804 - 0x57824 | copy of 0x577E4 - 0x57804 | 16 x 2 bytes |
0x57824 | unknown matrix | 16 x 2 bytes |
in one case | ||
0x57844 | 0x57824 scaled 5/8 in the y and negated in the z OR a copy of 0x577E4 in certain case | |
0x5785C | z rotation matrix for a small angle, approximately 11 degrees OR weirdly rotated version of 577E4 in certain case | |
0x57864 | camera x [initial value 0] | |
0x57868 | camera y [initial value 0] | |
0x5786C | camera z [initial value 0x1F400] | |
0x57870 | camera x rotation angle [initial value 0] | |
0x57874 | camera y rotation angle [initial value 0] | |
0x57878 | camera z rotation angle [initial value 0] | |
0x5787C | camera x scale? [initial value 0x1000] | |
0x57880 | camera y scale? [initial value 0x1000] | |
0x57884 | camera z scale? [initial value 0x1000] | |
0x57888 | camera x @ last time zone flags bit 13 not set [initial value 0] | |
0x5788C | camera y @ last time zone flags bit 13 not set [initial value 0xE1000] | |
0x57890 | camera z @ last time zone flags bit 13 not set [initial value 0x5DC000] | |
... | ||
0x578AC | ? intially 0, cleared by projection routine | |
0x578B0 | ? initially 0; | |
0x578B2 | ? initially 0; | |
0x578B4 | ? initially 0x1000; | |
... | ||
0x578C4 | ? initially 0; | |
0x578C8 | ? initially 0; | |
0x578CC | ? initially 0; | |
0x578D0 | projection distance (from viewer's eye) | |
0x578D4 | starts hword matrix... initially 0x200 | |
0x578D6 | initially 0x200 | |
0x578D8 | initially 0x200 | |
0x578DA | initially 0x200 | |
0x578DC | initially 0x200 | |
0x578DE | initially 0x200 | |
0x578E0 | initially 0x200 | |
0x578E2 | initially 0x200 | |
0x578E4 | initially 0x200 | |
... | ||
0x57914 | current zone (entry) | |
0x57918 | previous zone header (zone item) | |
0x5791C | current camera path (zone item) | |
0x57920 | current camera path progress | |
... | ||
0x57930 | set to 0x57938 when zone flags bit 13 not set, else cleared | |
0x57934 | camera x rotation after most recent adjustment/level update | |
0x57938 | camera y rotation after most recent adjustment/level update | |
0x5793C | camera z rotation after most recent adjustment/level update | |
0x57940 | camera x rotation before most recent adjustment/level update | |
0x57944 | camera y rotation before most recent adjustment/level update | |
0x59748 | camera z rotation before most recent adjustment/level update | |
0x5794C | sin(*(0x57930))/16; | |
0x57950 | ? | |
0x57954 | cos(*(0x57930))/16; | |
... | ||
0x57960 | (active buffer?) | |
... | ||
0x57968 | 4 byte string? cleared at loadLevel (or is his what the demo mode sub uses) | |
... | ||
0x57970 | set to *(0x34520) at loadLevel | |
0x57974 | zone checkpoint state: player trans X | |
0x57978 | zone checkpoint state: player trans Y | |
0x5797C | zone checkpoint state: player trans Z | |
0x57980 | zone checkpoint state: player rotation Y? (rewritten with 0) | |
0x57984 | zone checkpoint state: player rotation X? (rewritten with 0) | |
0x57988 | zone checkpoint state: player rotation Z? (rewritten with 0) | |
0x5798C | zone checkpoint state: player scale X | |
0x57990 | zone checkpoint state: player scale Y | |
0x57994 | zone checkpoint state: player scale Z | |
0x57998 | zone checkpoint state: current zone EID | |
0x5799C | zone checkpoint state: current camera path | |
0x579A0 | zone checkpoint state: current camera path progress | |
0x579A4 | zone checkpoint state: either level ID or MDAT/LDAT EID? (saved as 0x5c53c[4]) | |
0x579A8 | zone checkpoint state: flag | |
0x579AC | zone checkpoint state: copy of spawn flags list | |
0x57E6C | zone checkpoint state: boxes broken count | |
... | ||
0x57F40 | 8 x wavebank page structures | |
0x580A0 | 16 x texture page structures | |
... | ||
0x58400 | buffer count | |
0x58404 | buffer onscreen pointer | |
0x58408 | buffer offscreen pointer | |
0x5840C | buffer onscreen (mirror?) pointer | |
0x58410 - 0x5A497 | buffer onscreen | |
0x5A498 - 0x5C51F | buffer offscreen | |
... | ||
0x5C528 | start of main game struct (15b58 puts 1 here to indicate) | |
0x5C52C | level ID (this is placed at 0x56710) | |
0x5C530 | pointer to entry hash table indices/offsets | |
0x5C534 | pointer to entry hash table | |
0x5C538 | pointer to (loading screen information from NSD?) | |
0x5C53C | pointer to NSD level header | |
[0x0] 0x1 magic | ||
[0x4] levelID | ||
[0x8] first zone | ||
[0xC] first section | ||
[0x10] | ||
[0x14-0x110] code EID map | ||
[0x114] projection mode | ||
0x5c540 | pointer to NSD (structure) | |
0x5c548 | current address to read from disc | |
0x5C54C | 0; | |
0x5C550 | COUNT OF page structures IN MAINSPACE (high priority) | |
0X5C554 | MAIN page structure SPACE (holds 60 x 44 byte page structures) | 60 x 44 bytes |
0x5C91C | COUNT OF page structures IN NON-MAINSPACE (low priority) | |
0x5C920 | NON-MAIN page structures SPACE | |
0x5CFA8 | number of valid pointers in the 0x5CFBC list??? | |
0x5CFAC | most recent page stucture set at case 0, and cleared at case 1 if reading doesnt fail game[0xA84] | |
0x5CFB0 | pointer to a list of items game[0xA88] | |
0x5CFB4 | most recent page stucture set at case 8, and cleared at case 9 game[0xA8C] | |
0x5CFB8 | most recent page stucture's CID set at case 0 if reading doesnt fail game[0xA90] | |
0x5CFBC | CID->page stucture list | |
0x5CFC0 | ? | |
0x5CFC4 | ? | |
0x5CFC8 | ? | |
0x5CFCC | ? | |
0x5CFD0 | ? | |
0x5CFD4 | ? | |
0x5CFD8 | ? | |
0x5CFDC | ? | |
0x5CFE0 | ? | |
0x5CFE4 | ? | |
0x5CFE8 | ? | |
0x5CFEC | surface collision data | 4176 or 0x1050 bytes |
0x5E03C | filesystem map | 64 x 3 x 4 bytes |
0x5E344 | spuVmMaxVoice | 4 bytes |
0x5E348 | spawned level object list | 256 x 2 bytes |
0x5E548 | reserved for SPU routines | 6672 bytes |
0x5FF58 | spawn list | 304 x 4 bytes |
0x60418 | reserved for MIDI/SPU routines | 2456 bytes |
0x60DB0 | pointer to player object space (points to space allocated for 1 object plus 0x100 words) | |
0x60DB4 | pointer to object space (points to space allocated for 96 objects) | |
0x60DB8 | object list A handle | |
0x60DC0 | object list B handle | |
0x60DC8 | object list C handle | |
0x60DD0 | object list D handle | |
0x60DD8 | object list E handle | |
0x60DE0 | object list F handle | |
0x60DE8 | object list G handle | |
0x60DF0 | object list H handle | |
0x60DF8 | free object list handle | |
0x60E00 | last animated object (whose process to run sub_8001DA0C-routine that animates all objects of type 3 | |
0x60E04 | global game counter | |
0x60E08-0x61887 | object space map | 96 x 28 bytes |
0x61888 | object space map entry count | |
0x6188C starts global variables for gool processes | ||
------------ | ||
0x6188C [0x00] | initialized with zone number in left 3 bytes (by opat) | |
0x61890 [0x01] | ...? | |
0x61894 [0x02] | screen Y offset base (will be >> 8 and added to var 0x2D before used as SetGeomOffset Y argument) | |
0x61898 [0x03] | ...used by the other drawing modes | |
0x6189C [0x04] | copied to global primitive render/animate bitfield perframe flags (bit 3 & 4 set right before title fade in) (see mdat initB) | |
0x618A0 [0x05] | ? (level reload count?) | |
0x618A4 [0x06] | instance of graphics process sub 1 | |
0x618A8 [0x07] | instance of graphics process sub 0 | |
0x618AC [0x08] | instance of graphics process sub 0x27, set by ripper roo | |
0x618B0 [0x09] | global primitive render/animate bitfield (title flags?)) | |
0x618B4 [0x0A] | ? modified by sub_8002BAB4 called at beginning of 2b2bc (cam routine) | |
0x618B8 [0x0B] | ? global central Z of illumination for proc brightness? | |
0x618BC [0x0C] | instance of graphics process sub 4 to list H in 11FC4 by 1C6C8 | |
0x618C0 [0x0D] | use by FruiC, incremented (fruit to HUD collection path interpolation factor?) | |
0x618C4 [0x0E] | instance of graphics process sub 5 | |
0x618C8 [0x0F] | mirror of 0x57930 (17A14); used by aku, and fruit for some y positioning | |
0x618CC [0x10] | aku aku stores pointer to itself here (17A14) | |
0x618D0 [0x11] | ? set to 0x100 by camera routine case 0, (5, 6 level); set to 6 by DispC | |
0x618D4 [0x12] | title mode buffer?, set by DispC | |
0x618D8 [0x13] | ||
0x618DC [0x14] | game progress (0x63 inital progress before start game), (0x1F full completion, i.e. 31+1 | |
0x618E0 [0x15] | ||
0x618E4 [0x16] | ||
0x618E8 [0x17] | ||
0x618EC [0x18] | init 0; incremented by FruiC (fruit or live counter?) | |
0x618F0 [0x19] | init 0 | |
0x618F4 [0x1A] | init 0 | |
0x618F8 [0x1B] | init 0 | |
0x618FC [0x1C] | init 0 | |
0x61900 [0x1D] | init 0 | |
0x61904 [0x1E] | set to zone flags when loading new zone | |
0x61908 [0x1F] | loaded from mem card routine... used by? | |
0x6190C [0x20] | loaded from mem card routine... used by? | |
0x61910 [0x21] | loaded from mem card routine... used by? | |
0x61914 [0x22] | loaded from mem card routine... used by? | |
0x61918 [0x23] | loaded from mem card routine... used by? | |
0x6191C [0x24] | pointer to tnt explosion process (if event spawns it) | |
0x61920 [0x25] | 0x57864 mirror //gool processes (ex. aku aku) use this as an interface for camera location | |
0x61924 [0x26] | 0x57868 mirror | |
0x61928 [0x27] | 0x5786C mirror | |
0x6192C [0x28] | 0x57870 mirror | |
0x61930 [0x29] | 0x57874 mirror | |
0x61934 [0x2A] | 0x57878 mirror | |
0x61938 [0x2B] | previous iteration execution time, minus VSync time (checked by aku aku, also GemsC, also WarpC | |
0x6193C [0x2C] | screen X offset (sent to SetGeomOffset) initially 0, cleared by projection init routine | |
0x61940 [0x2D] | screen Y offset (sent to SetGeomOffset, after adding initial Y offset value at 0x2 << 8) initially 0 | |
0x61944 [0x2E] | set by mem card load, checked by BoxsC, or FruiC, along with game progress at 0x14 | |
0x61948 [0x2F] | maximum initial Z position for entities spawned during title sequences | |
... | ||
0x61950 [0x31] | cleared when an event is sent to a tnt explosion | |
... | ||
0x61964 [0x36] | ? aku aku sets this to 0; also sets to point to itself in certain conditions | |
... | ||
0x6197C [0x3C] | incremental value set by DispC [0x3C] | |
.... | ||
0x61984 [0x3E] | box count/number of boxes broken | |
0x61988 [0x3F] | read by GemsC (gems collected?) | |
.... | ||
0x61990 [0x41] | timestamp of most recent gem render? in certain case | |
... | ||
0x61998 [0x43] | cleared when a new zone is loaded | |
0x6199C [0x44] | debug flag (set in prototype?) | |
0x619A0 [0x45] | PID of most recently hit checkpoint box when not -1 or 0 and saving state, we record the vector at 0x61A24 in place of objects trans | |
also replaced by DispC! | ||
... | ||
0x619AC [0x48] | read by GemsC, also BoxsC, also FruiC | |
... | ||
0x619BC [0x4C] | set by, to point to self instance of DispC state 10 | |
... | ||
---- | ||
0x61A1C [0x64] | set to 0xD00 by DispC | |
... | ||
0x61A24 [0x66] | X component of most recent broken checkpoint box; replaces object trans when saving state if flag 0x619A0 set | |
0x61A28 [0x67] | Y component of ....... | |
0x61A2C [0x68] | Z component of ....... | |
... | ||
0x61A34 [0x6A] | fade duration/counter? | |
... | ||
... | ||
... | ||
0x61A5C [0x74] | ?? set to 0 for each neighbor zone when loading a new zone | |
0x61A60 [0x75] | set/incremented by boxes during spawn | |
reset when loading a new zone for each neighbor zone | ||
0x61A64 [0x76] | ?? set to 0 for each neighbor zone when loading a new zone | |
---------------------- |