Find address to insert msu routine

I'm trying to port an MSU patch to an different region (from English to Japanese); followed the tutorial here. The patch I'm trying to port is from here and I also went through this thread, but as I'm not allowed to reply on either I'm asking the question here.

The only address I'm struggling with is the one where to put the MSU routine; because the data which is overwritten differs between the available regions (i.e. English version overwrites other data than German version)

Example:
the English MSU Patch put the msu code at address $81FD10 (=file offset 0xFD10)

Code:

org $81FD10
msu:
STA $54
...

Which is filled before applying the patch like this:

Code:

│0000fd10│ 2a aa aa aa aa aa aa 3a ┊ aa aa aa aa aa aa 8a aa

and after applying the patch like this:

Code:

│0000fd10│ 85 54 64 55 a2 00 00 a9 ┊ 00 eb 8d 06 20 a5 54 8d

We can see it starts with "85 54" which is STA $54, hence the start of the msu routine.

However in a different regions MSU patch (i.e. German) not only is the address slightly different, also the data there before overwrite differs. i.e. org $81FD40
before applying the patch:

Code:

│0000fd40│ be ea aa aa aa ea aa aa ┊ aa ba aa ff aa aa aa fa

Searching in the Japanese ROM for same sequence as in the English or German ROM will not work as the data to overwrite is different in each region; there are somehow similar areas with lots of AA instructions, but how to find an "empty area" I can safely overwrite without causing harm to other functionality?

For reference here is my modified code for the Japanese ROM ("Estpolis Denki II (Japan).sfc"):

Code:

lorom

org $90C091  ; hardcore apu mute
db $2f

org $80B9D9  ; intro fix
db $80

org $809584
JSL msu

org $8097e9
JSL fade

org $80863C
JSL nmi
NOP

org $80B9BC
JSL mute

org $81FD40
msu:
STA $54
STZ $55
LDX #$0000
LDA #$00
XBA
STA $2006
LDA $54
STA $2004
TAX
STZ $2005
loop:
BIT $2000
BVS loop
LDA $81FF00,x
STA $2007
LDA #$00 ;erase fade flag
sta $7ffff0
LDA #$ff
STA $7ffff1
STA $2006
rtl

fade:
SEP #$20
LDA #$06
STA $7ffff0 ;fade flag
RTL

nmi:
LDA #$80
STA $2100
LDA $7ffff0
BNE $01
RTL
lda $7ffff1
CMP #$00
BEQ endfast
dec
dec
dec
cmp #$10
bcs $06
endfast:
lda #$00
sta $7ffff0 ;erase fade flag
sta $002006
sta $7ffff1
RTL

mute:
JSL $80967e
LDA #$00
STA $002006
RTL

org $81FF00 ; loop table
; 01-Non-loop, 03-Loop
;   00  01  02  03  04  05  06  07  08  09  0A  0B  0C  0D  0E  0F
db $03,$03,$03,$03,$01,$03,$01,$03,$03,$03,$03,$03,$01,$03,$01,$01 ; themes 00-0f - 00
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes 10-1f - 10
db $03,$03,$03,$03,$03,$01,$01,$03,$03,$03,$03,$03,$03,$01,$03,$03 ; themes 20-2f - 20
db $01,$01,$03,$01,$01,$01,$01,$03,$03,$03,$03,$03,$01,$03,$01,$03 ; themes 30-3f - 30
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes 40-4f - 40
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes 50-5f - 50
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes 60-6f - 60
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes 70-7f - 70
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes 80-8f - 80
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes 90-9f - 90
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes a0-af - A0
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes b0-bf - B0
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes c0-cf - C0
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes d0-df - D0
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes e0-ef - E0
db $03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03,$03 ; themes f0-ff - F0

The address I'm using there currently for the msu routine is $81FD40; but this is just a guess based on the german patch and seeing a number of AA instructions there in the Japanese ROM. Is there any way/method to make sure that the section where the msu code is inserted is not being used for any other purpose?

hi! thanks for posting.
if i doubt where something might be going i just breakpoint it in a debugger in an unmodified rom and check to make sure the surrounding code is similar..

lda and sta to/from the same addresses etc.

Thank you for the advice! The problem is that the surrounding code is quite different; might be the surrounding code has been changed between the English and Japanese versions quite a bit.

Left is Japanese, Right is English (The interesting pattern is "2A AA AA 2A" which is not there in the Japanese version)


Left is English (unpatched), Right is English patched

So we can see that the modification is exactly within the red area (starting with the last 2A in the pattern 2A AA AA 2A) which differed between English & Japanese version.

=> So the surrounding code is quite different in both unpatched versions to begin with

Based on counting various offsets relatively I've tried $81FD10, $81FD3C, $81FD37, $81FD40, $81FD50, $81FD8B currently to put the msu routine: The MSU1 sound is playing, but for some reason it seems like the sound is playing twice - the second time with an delay of few seconds, which gives it an "echo" kind of effect. Any idea what could be the reason for that?

Here is my modified asm & ips file

oh i think i misunderstood your question.. you need an empty space to relocate the MSU1 code into?

you can do this easily via rom expansion (look into lunar expand)

an "echo" with MSU1 should be impossible. it may be playing SPC audio and MSU1 audio at the same time. meaning the mute in the MSU1 code is not working.

with an expanded rom freespace the hooks may need to be changed
if JSR they become JSL
and RTS turns into RTL.

they are also one byte longer, which probably requires you to insert one more line of code before the rtl.. but if the hooks already are JSL then you have nothing to worry about.