Memory Map
Revision as of 11:07, 28 July 2015 by Wikia>WurlyFox (→Crash 1)
A memory map is essentially a table of associations between addresses in a binary executable and descriptions of the data and/or code they locate.
Crash 1
Currently incomplete.
Data
| "ROM" - (these locations refer to constant, read-only data; address space still resides in RAM) | ||
| Address | Description | Size |
| 0x514DC | subsystem tables | 21 x 28 bytes |
| 0x51728 | character table for EID decoding | 64 x 1 byte |
| 0x51768 | zero vector | 3 x 4 bytes |
| 0x51774 | texture regions map | 600 x 4 x 2 bytes |
| 0x52A34 | precomputed list of (x,y) byte pairs sorted by euclidian distance | 152 x 2 x 1 byte |
| 0x52B64 | structures describing player angle and displacement for each controller direction | 16 x 3 x 4 bytes |
| 0x52C24 | structures describing player velocity per state (on ground, in air, etc.) | |
| 0x52CA4 | used by GOOL VECB | 4 x 4 bytes |
| 0x52CB4 | percentages used to scale a monochromatic color for GOOL VECB subop. 1 | 12 x 4 bytes |
| 0x52CE4 | ? | 16 x 1 byte |
| 0x52CF4 | circle bitmap (used for wall detection) | 128 bytes (32x32 bits) |
| 0x52D74 | ? (referenced by sub_8002EC68 TBD) | 84 x 4 bytes |
| 0x52EC4 | array 1 (unknown) | 14 x 4 bytes |
| 0x52EFC | array 2 (unknown) | 10 x 4 bytes |
| 0x52F24 | array 3 (unknown) | 11 x 4 bytes |
| 0x52F50 | array 4 (unknown) | 11 x 4 bytes |
| 0x52F88 | array 5 (unknown) | 19 x 4 bytes |
| 0x52FD4 | array 6 (unknown) | 32 x 4 bytes |
| 0x53054 | array of 6 pointers to the above arrays(referenced by sub_8002EC68 TBD) | 6 x 4 bytes |
| 0x5306C | sin/cosine table | 1042 x 2 bytes |
| 0x53890 | reserved for various library (gpu and etc?) routines | 4876 bytes |
| *0x54A20 | pointer for generating the current drawing primitive packet | 4 bytes |
| 0x54B9C | square root table | 192 x 2 bytes |
| 0x54D1C | atan2 table | 2052 bytes |
| 0x55520-0x563F8 | reserved for cd-rom (and spu?) routines | |
| "RAM" | ||
| global variables | ||
| 0x563FC: gp[0] | ? | |
| 0x56400: gp[0x4] | ? | |
| ... | ||
| 0x56420: gp[0x24] | frame buffer destination X | |
| 0x56422: gp[0x26] | frame buffer destination Y | |
| 0x56424: gp[0x28] | frame buffer destination W (inited in binary with 0x100) | |
| 0x56426: gp[0x2A] | frame buffer destination H (inited in binary with 0x80) | |
| 0x56428: gp[0x2C] | quit game flag (will break game loop) | |
| ... | ||
| 0x56440: gp[0x44] | depth cuing matrix used by sub_80019F90 | |
| 0x56444: gp[0x48] | ^ | |
| 0x56448: gp[0x4C] | ^ | |
| 0x5644C: gp[0x50] | ^ | |
| 0x56450: gp[0x54] | ^ | |
| 0x56454: gp[0x58] | ^ | |
| 0x56458: gp[0x5C] | ^ | |
| 0x5645C: gp[0x60] | ^ | |
| 0x56460: gp[0x64] | ??used by sub_2EC68 | |
| 0x56464: gp[0x68] | ??used by sub_2EC68 | |
| 0x56468: gp[0x6C] | ??used by sub_2EC68 | |
| 0x5646C: gp[0x70] | ??used by sub_2EC68 | |
| 0x56470: gp[0x74] | ??used by sub_2EC68 | |
| 0x56474: gp[0x78] | ??used by sub_2EBB4* EDIT: ALSO USED BY ALT PRIM ROUTINE 19DE0 | |
| 0x56478: gp[0x7C] | ??used by sub_2EBB4 EDIT: ALSO USED BY ALT PRIM ROUTINE 19DE0 | |
| 0x5647C: gp[0x80] | ??copied to stack and unused during path routine; byte of 0x80 followed by 3 zero bytes | |
| 0x56480: gp[0x84] | ??pointer to scratch[0x40] | |
| 0x56484: gp[0x88] | zero ??? | |
| 0x56488: gp[0x8C] | ??pointer to scratch[0x40] | |
| 0x5648C: gp[0x90] | zero ??? | |
| 0x56490: gp[0x94] | ? see ldat postinit/253a0 | |
| 0x56494: gp[0x98] | ? see ldat postinit/253a0 | |
| 0x56498: gp[0x9C] | "0b_pZ\0" string used by demo routine (extends to gp[0xA0]) | |
| 0x5649C: gp[0xA0] | ^^^^^^^^^^^^^ | |
| 0x564A0: gp[0xA4] | ??? inited with 0 | |
| 0x564A4: gp[0xA8] | camera Z trans due to 'lookback' (i.e. moving forward or backward) | |
| 0x564A8: gp[0xAC] | camera Z trans due to nearby Z section 'scale' | |
| 0x564AC: gp[0xB0] | flag for camera 'lookback' (i.e. camera Z trans'ed forward due to moving forward (clear) or trans'ed back due to moving back (set)) | |
| 0x564B0: gp[0xB4] | flag for camera 'pan X' (i.e. camera X trans'ed left due to moving left (clear) or trans'ed right due to moving right right (set)) | |
| 0x564B4: gp[0xB8] | camera Y trans due to nearby Y section 'scale' | |
| 0x564B8: gp[0xBC] | camera X trans due to 'pan X' (i.e. moving left or right) | |
| 0x564BC: gp[0xC0] | land offset? (how high crash sits atop nodes before being stopped by them) | |
| ... | ||
| 0x564DC: gp[0xE0] | random seed (inited to 1) | |
| 0x564E0: gp[0xE4] | "CD001" string used by filesystem read routine (2F8C4) | |
| ... | ||
| 0x56500: gp[0x104] | ? see mdat initb (inited with 1) | |
| 0x56504: gp[0x108] | "0b_pz" string (EID string for game over screen/zone) | 2 x 4 bytes |
| 0x5650C: gp[0x110] | "0c_pz" string (EID string for main menu screen/zone) | 2 x 4 bytes |
| 0x56514: gp[0x118] | "0d_pz" string (EID string for Naughty Dog screen/zone) | 2 x 4 bytes |
| 0x5651C: gp[0x120] | "0e_pz" string (EID string for options/password/load game menu/zone) | 2 x 4 bytes |
| 0x56524: gp[0x128] | "0f_pz" string (EID string for 6th zone in map model) | 2 x 4 bytes |
| 0x5652C: gp[0x130] | "1e_pz" string (EID string for first island (before end) zone in map model) | |
| 0x56534: gp[0x138] | "1a_pz" string (EID string for first island (at end/native fortress) zone in map model) | |
| 0x5653C: gp[0x140] | "2b_pz" string (EID string for second island zone in map model) | |
| 0x56544: gp[0x148] | "3a_pz" string (EID string for third island zone in map model) | |
| 0x5654C: gp[0x150] | "0a_pz" string (EID string for Entertainment America & Universal Interactive Screens/zone) | |
| 0x56554: gp[0x158] | "%cMapP" EID string to grab the entries in sequence used for palette fading | |
| 0x5655C: gp[0x160] | "0MapP" EID string used to grab the first palette entry in sequence for a palette fade | |
| ... | ||
| 0x565C0: gp[0x1C4] | camera speed/most recent change in camera path progress | |
| ... | ||
| 0x565DC: gp[0x1E0] | small slope flag? | |
| .... | ||
| 0x56664: gp[0x268] | ? used by GOOL MSC | |
| .. | ||
| 0x56678: gp[0x27C] | ? see mdat postinit | |
| ... | ||
| 0x566AC: gp[0x2B0] | 0x1F800180 | |
| 0X566B0: gp[0x2B4] | EID of Crash GOOL executable entry | |
| 0x566B4: gp[0x2B8] | Crash object | |
| 0x566B8: gp[0x2BC] | SLST decoded buffer temp (used for swap) | |
| 0x566BC: gp[0x2C0] | SLST decoded back buffer (swapped with front buf, gp[0x304]) | |
| ... | ||
| 0x566C4: gp[0x2C8] | event descriptor for '(software) memory card: end of i/o' | |
| 0x566C8: gp[0x2CC] | event descriptor for '(software) memory card: error happened' | |
| 0x566CC: gp[0x2D0] | event descriptor for '(software) memory card: timeout' | |
| 0x566D0: gp[0x2D4] | event descriptor for '(software) memory card: new device' | |
| ... | ||
| 0x566E0: gp[0x2E4] | MDAT page, structure used by titles | |
| 0x566E4: gp[0x2E8] | ? zeroed at ldat postinit | |
| 0x566E8: gp[0x2EC] | ? zeroed at ldat postinit | |
| 0x566EC: gp[0x2F0] | event descriptor for '(hardware) memory card: end of i/o' | |
| 0x566F0: gp[0x2F4] | event descriptor for '(hardware) memory card: error happened' | |
| 0x566F4: gp[0x2F8] | 0x1F800100 | |
| 0x566F8: gp[0x2FC] | event descriptor for '(hardware) memory card: timeout' | |
| 0x566FC: gp[0x300] | event descriptor for '(hardware) memory card: new device' | |
| 0x56700: gp[0x304] | SLST decoded front buffer (swapped with back buf, gp[0x2C0]) | |
| 0x56704: gp[0x308] | some demo mode object? | |
| 0x56708: gp[0x30C] | ? | |
| 0x5670C: gp[0x310] | 0x1F800380; refers to scratch[0x380], circle bitmap is copied from 0x52CF4 to here during BINF init routine | 4 bytes |
| 0x56710 | current level ID | 4 bytes |
| 0x56714 | next level ID (for changing levels) | 4 bytes |
| ... | ||
| 0x56804 | structures describing SPU hardware voices | 24 x 0x44 bytes |
| ... | ||
| 0x57054 | controller data | |
| ... | ||
| 0x57280 | ? initially 0; | 4 bytes |
| 0x57284 | ? initially 0; | 4 bytes |
| 0x57288 | ? initially 0; | 4 bytes |
| 0x5728C | 8 wavebank entry EIDs? | |
| ... | ||
| 0x57298 | 4 null EIDs | |
| ... | ||
| ***for hword matrices only first 9 hwords used, last 7 are padding for align to 32 bytes | ||
| 0x577C4 | viewpoint rotation matrix (including translation by viewpoint translation vector) | 16 x 2 bytes |
| 0x577E4 | viewpoint rotation matrix negated and scaled 5/8s for Y, negated for Z | 16 x 2 bytes |
| 0x57804 | copy of 0x577E4 - 0x57804 | 16 x 2 bytes |
| 0x57824 | unknown matrix | 16 x 2 bytes |
| 0x57844 | 0x57824 scaled 5/8 in the y and negated in the z OR a copy of 0x577E4 in certain case | ? |
| 0x5785C | z rotation matrix for a small angle, approximately 11 degrees OR weirdly rotated version of 577E4 in certain case | ? |
| 0x57864 | camera x [initial value 0] | |
| 0x57868 | camera y [initial value 0] | |
| 0x5786C | camera z [initial value 0x1F400] | |
| 0x57870 | camera x rotation angle [initial value 0] | |
| 0x57874 | camera y rotation angle [initial value 0] | |
| 0x57878 | camera z rotation angle [initial value 0] | |
| 0x5787C | camera x scale? [initial value 0x1000] | |
| 0x57880 | camera y scale? [initial value 0x1000] | |
| 0x57884 | camera z scale? [initial value 0x1000] | |
| 0x57888 | camera x @ last time zone flags bit 13 not set [initial value 0] | |
| 0x5788C | camera y @ last time zone flags bit 13 not set [initial value 0xE1000] | |
| 0x57890 | camera z @ last time zone flags bit 13 not set [initial value 0x5DC000] | |
| ... | ||
| 0x578AC | ? intially 0, cleared by projection routine | |
| 0x578B0 | ? initially 0 | |
| 0x578B2 | ? initially 0 | |
| 0x578B4 | ? initially 0x1000 | |
| ... | ||
| 0x578C4 | ? initially 0 | |
| 0x578C8 | ? initially 0 | |
| 0x578CC | ? initially 0 | |
| 0x578D0 | projection distance (from viewer's eye) | |
| 0x578D4 | starts hword matrix... initially 0x200 | |
| 0x578D6 | initially 0x200 | |
| 0x578D8 | initially 0x200 | |
| 0x578DA | initially 0x200 | |
| 0x578DC | initially 0x200 | |
| 0x578DE | initially 0x200 | |
| 0x578E0 | initially 0x200 | |
| 0x578E2 | initially 0x200 | |
| 0x578E4 | initially 0x200 | |
| ... | ||
| 0x57914 | current zone (entry) | |
| 0x57918 | previous zone header (zone item) | |
| 0x5791C | current camera path (zone item) | |
| 0x57920 | current camera path progress | |
| ... | ||
| 0x57930 | set to 0x57938 when zone flags bit 13 not set, else cleared | |
| 0x57934 | camera x rotation after most recent adjustment/level update | |
| 0x57938 | camera y rotation after most recent adjustment/level update | |
| 0x5793C | camera z rotation after most recent adjustment/level update | |
| 0x57940 | camera x rotation before most recent adjustment/level update | |
| 0x57944 | camera y rotation before most recent adjustment/level update | |
| 0x59748 | camera z rotation before most recent adjustment/level update | |
| 0x5794C | sin(*(0x57930))/16; | |
| 0x57950 | ? | |
| 0x57954 | cos(*(0x57930))/16; | |
| ... | ||
| 0x57960 | (active buffer?) | |
| ... | ||
| 0x57968 | 4 byte string? cleared at loadLevel (demo mode sub uses this?) | |
| ... | ||
| 0x57970 | set to *(0x34520) at loadLevel | |
| 0x57974 | zone checkpoint state: player trans X | |
| 0x57978 | zone checkpoint state: player trans Y | |
| 0x5797C | zone checkpoint state: player trans Z | |
| 0x57980 | zone checkpoint state: player rotation Y? (rewritten with 0) | |
| 0x57984 | zone checkpoint state: player rotation X? (rewritten with 0) | |
| 0x57988 | zone checkpoint state: player rotation Z? (rewritten with 0) | |
| 0x5798C | zone checkpoint state: player scale X | |
| 0x57990 | zone checkpoint state: player scale Y | |
| 0x57994 | zone checkpoint state: player scale Z | |
| 0x57998 | zone checkpoint state: current zone EID | |
| 0x5799C | zone checkpoint state: current camera path | |
| 0x579A0 | zone checkpoint state: current camera path progress | |
| 0x579A4 | zone checkpoint state: either level ID or MDAT/LDAT EID? (saved as 0x5c53c[4]) | |
| 0x579A8 | zone checkpoint state: flag | |
| 0x579AC | zone checkpoint state: copy of spawn flags list | |
| 0x57E6C | zone checkpoint state: boxes broken count | |
| ... | ||
| 0x57F40 | 8 x wavebank page structures | |
| 0x580A0 | 16 x texture page structures | |
| ... | ||
| 0x58400 | buffer count | |
| 0x58404 | buffer onscreen pointer | |
| 0x58408 | buffer offscreen pointer | |
| 0x5840C | buffer onscreen (mirror?) pointer | |
| 0x58410 - 0x5A497 | buffer onscreen | |
| 0x5A498 - 0x5C51F | buffer offscreen | |
| ... | ||
| 0x5C528 | start of main game struct (15b58 puts 1 here to indicate) | |
| 0x5C52C | level ID (this is placed at 0x56710) | |
| 0x5C530 | pointer to entry hash table indices/offsets | |
| 0x5C534 | pointer to entry hash table | |
| 0x5C538 | pointer to (loading screen information from NSD?) | |
| 0x5C53C | pointer to NSD level header | |
| [0x0] 0x1 magic | ||
| [0x4] levelID | ||
| [0x8] first zone | ||
| [0xC] first section | ||
| [0x10] | ||
| [0x14-0x110] code EID map | ||
| [0x114] projection mode | ||
| 0x5C540 | pointer to NSD (structure) | |
| 0x5C544 | ? | |
| 0x5C548 | current address to read from disc | |
| 0x5C54C | 0; | |
| 0x5C550 | COUNT OF page structures IN MAINSPACE (high priority) | |
| 0X5C554 | MAIN page structure SPACE (holds 60 x 44 byte page structures) | 60 x 44 bytes |
| 0x5C91C | COUNT OF page structures IN NON-MAINSPACE(low priority) | |
| 0x5C920 | NON-MAIN page structures SPACE | |
| 0x5CFA8 | number of valid pointers in the 0x5CFBC list??? | |
| 0x5CFAC | most recent page stucture set at case 0, and cleared at case 1 if reading doesnt fail | |
| 0x5CFB0 | pointer to a list of items | |
| 0x5CFB4 | most recent page structure set at case 8, and cleared at case 9 | |
| 0x5CFB8 | most recent page stucture's CID set at case 0 if reading doesnt fail | |
| 0x5CFBC | CID->page stucture map | |
| 0x5CFC0 | ? | |
| 0x5CFC4 | ? | |
| 0x5CFC8 | ? | |
| 0x5CFCC | ? | |
| 0x5CFD0 | ? | |
| 0x5CFD4 | ? | |
| 0x5CFD8 | ? | |
| 0x5CFDC | ? | |
| 0x5CFE0 | ? | |
| 0x5CFE4 | ? | |
| 0x5CFE8 | ? | |
| 0x5CFEC | surface collision/octree query data | 4176 or 0x1050 bytes |
| 0x5E03C | filesystem map | 64 x 3 x 4 bytes |
| 0x5E344 | spuVmMaxVoice | 4 bytes |
| 0x5E348 | spawned level object list | 256 x 2 bytes |
| 0x5E548 | reserved for SPU routines | 6672 bytes |
| 0x5FF58 | spawn list | 304 x 4 bytes |
| 0x60418 | reserved for MIDI/SPU routines | 2456 bytes |
| 0x60DB0 | pointer to player object space(points to space allocated for playerobject) | |
| 0x60DB4 | pointer to object space (points to space allocated for 96 objects) | |
| 0x60DB8 | object list A handle | |
| 0x60DC0 | object list B handle | |
| 0x60DC8 | object list C handle | |
| 0x60DD0 | object list D handle | |
| 0x60DD8 | object list E handle | |
| 0x60DE0 | object list F handle | |
| 0x60DE8 | object list G handle | |
| 0x60DF0 | object list H handle | |
| 0x60DF8 | free object list handle | |
| 0x60E00 | most recently updated object | |
| 0x60E04 | global game counter | |
| 0x60E08-0x61887 | object space map | 96 x 28 bytes |
| 0x61888 | object space map entry count | |
| At 0x6188C starts global variables for GOOL objects | ||
| 0x6188C [0x00] | initialized with level ID in left 3 bytes (by OPAT) | |
| 0x61890 [0x01] | ...? | |
| 0x61894 [0x02] | screen Y offset base? | |
| 0x61898 [0x03] | ...used by the other drawing modes | |
| 0x6189C [0x04] | copied to global render/animate flags (bit 3 & 4 set right before title screen fade in) (see mdat postinit) | |
| 0x618A0 [0x05] | ? (level reload count?) | |
| 0x618A4 [0x06] | instance of DispC state 1 | |
| 0x618A8 [0x07] | instance of DispC state 0 | |
| 0x618AC [0x08] | instance of DispC state 0x27, set for ripper roo (level) | |
| 0x618B0 [0x09] | global render/animate flags | |
| 0x618B4 [0x0A] | ? modified by sub_8002BAB4, called at beginning of sub_8002B2BC (handles Crash 'woah' death sequence) | |
| 0x618B8 [0x0B] | ? global central Z of illumination for object brightness? | |
| 0x618BC [0x0C] | instance of DispC state 4 (pause menu) | |
| 0x618C0 [0x0D] | used by FruiC, incremented (fruit to HUD collection path interpolation factor?) | |
| 0x618C4 [0x0E] | instance of DispC state 5 | |
| 0x618C8 [0x0F] | mirror of 0x57930; used by aku, and fruit for some y positioning | |
| 0x618CC [0x10] | aku aku stores pointer to itself here (17A14) | |
| 0x618D0 [0x11] | ? set to 0x100 by camera routine for cam mode 0, (5, 6 level); set to 6 by DispC | |
| 0x618D4 [0x12] | title mode buffer? set by DispC | |
| 0x618D8 [0x13] | ? | |
| 0x618DC [0x14] | game progress (0x63 initial progress before start game), (0x1F full completion, i.e. 31+1 | |
| 0x618E0 [0x15] | ? | |
| 0x618E4 [0x16] | ? | |
| 0x618E8 [0x17] | ? | |
| 0x618EC [0x18] | init 0; incremented by FruiC (fruit or live counter?) | |
| 0x618F0 [0x19] | init 0 | |
| 0x618F4 [0x1A] | init 0 | |
| 0x618F8 [0x1B] | init 0 | |
| 0x618FC [0x1C] | init 0 | |
| 0x61900 [0x1D] | init 0 | |
| 0x61904 [0x1E] | set to zone flags when loading a new zone | |
| 0x61908 [0x1F] | loaded from mem card routine... used by? | |
| 0x6190C [0x20] | loaded from mem card routine... used by? | |
| 0x61910 [0x21] | loaded from mem card routine... used by? | |
| 0x61914 [0x22] | loaded from mem card routine... used by? | |
| 0x61918 [0x23] | loaded from mem card routine... used by? | |
| 0x6191C [0x24] | pointer to tnt explosion object (if event spawns it) | |
| 0x61920 [0x25] | camera x (0x57864) mirror | |
| 0x61924 [0x26] | camera y (0x57868) mirror | |
| 0x61928 [0x27] | camera z (0x5786C) mirror | |
| 0x6192C [0x28] | camera rot y (0x57870) mirror | |
| 0x61930 [0x29] | camera rot x (0x57874) mirror | |
| 0x61934 [0x2A] | camera rot z (0x57878) mirror | |
| 0x61938 [0x2B] | previous game loop iteration execution time minus VSync time (checked by aku aku, also GemsC and WarpC) | |
| 0x6193C [0x2C] | screen x offset (used as arg in call to SetGeomOffset) initially 0, cleared by projection init routine | |
| 0x61940 [0x2D] | screen y offset (used as arg in call to SetGeomOffset, after adding initial y offset value at 0x2 << 8) initially 0 | |
| 0x61944 [0x2E] | set by memory card data load routines, checked by BoxsC, or FruiC, along with game progress at 0x14 | |
| 0x61948 [0x2F] | maximum initial Z position for entities spawned during title sequences | |
| ... | ||
| 0x61950 [0x31] | cleared when an event is sent to a TNT explosion fragment object | |
| ... | ||
| 0x61964 [0x36] | ? aku aku sets this to 0; also sets to point to itself in certain conditions | |
| ... | ||
| 0x6197C [0x3C] | incremental value set by DispC [0x3C] | |
| .... | ||
| 0x61984 [0x3E] | box count/number of boxes broken | |
| 0x61988 [0x3F] | read by GemsC (gems collected?) | |
| .... | ||
| 0x61990 [0x41] | timestamp of most recent gem render? | |
| ... | ||
| 0x61998 [0x43] | cleared when a new zone is loaded | |
| 0x6199C [0x44] | debug flag (set in prototype?) | |
| 0x619A0 [0x45] | ID of most recently hit checkpoint box; when not -1 or 0 and saving state, vector at 0x61A24 recorded in place of objects trans | |
| ... | ||
| 0x619AC [0x48] | ? read by GemsC, also BoxsC and FruiC | |
| ... | ||
| 0x619BC [0x4C] | points to self-instantiated DispC state 10 | |
| ... | ||
| 0x61A1C [0x64] | set to 0xD00 by DispC | |
| ... | ||
| 0x61A24 [0x66] | X component of most recent broken checkpoint box; replaces object trans when saving state if flag 0x619A0 set | |
| 0x61A28 [0x67] | Y component of ....... | |
| 0x61A2C [0x68] | Z component of ....... | |
| ... | ||
| 0x61A34 [0x6A] | fade duration/counter? | |
| ... | ||
| 0x61A5C [0x74] | ?? set to 0 for each neighbor zone when loading a new zone | |
| 0x61A60 [0x75] | set/incremented by boxes when spawned; reset when loading a new zone for each neighbor zone | |
| 0x61A64 [0x76] | ?? set to 0 for each neighbor zone when loading a new zone | |
