Register - Login
Views: 86568259
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - JCS - Stats - Latest Posts - Color Chart - Smilies
10-21-17 04:34:15 PM

Jul - Computers - Looking for a DOS/Win16 reverse engineering mentor New poll - New thread - New reply
Next newer thread | Next older thread
rubber_chicken
Random nobody
Level: 6


Posts: 1/9
EXP: 771
For next: 136

Since: 07-28-15


Since last post: 116 days
Last activity: 116 days

Posted on 07-28-15 12:40:11 PM Link | Quote
Hello,

I'm a big reader of the TCRF Wiki and a computer science student.
I would like to dive into reverse engineering DOS and Win16 games but I would like to do it with someone who could teach me a few things (basics, tools to use, techniques, etc…).

Nothing serious, just to chill out, I have a bunch of video games from my childhood that I would like to crack wide open (Fire & Ice, Thinkin' Things, The Magic School Bus, etc…).

If you want to know more about my skills, I know how to program in C, Lua, Python 3. I know how to use GCC, GDB, emacs, Valgrind, objdump, nm. I only use ArchLinux, but when I need I emulate Windows inside a VM.
I'm currently reading a book about ASM programming for 32bit x86.
divingkataetheweirdo

Lantern Ghost
TCRF Super Editor
Level: 51


Posts: 535/764
EXP: 1012012
For next: 1926

Since: 07-09-11


Since last post: 3 hours
Last activity: 2 hours

Posted on 07-28-15 05:50:23 PM (last edited by divingkataetheweirdo at 07-28-15 06:11:45 PM) Link | Quote
I'm not exactly the most talented with this but...

You really need to know x86 assembly. So it's a good thing you're reading the book.

The first major tool is IDA Pro Free. It's based on IDA Pro 5.0 and is rather limited, but it works well if all you want to do is dissect some old games. IDA Pro itself was updated to include programs that have DOS4GW included within the executable. However, IDA Pro can be quite expensive (in other words, at least $1129 US or €1019). There's also IDA Starter, but that's quite a bit more limited (although still good for 32-bit x86 apps) and still quite expensive (in other words, at least $589 US or €529)).

DOSBOX can be configured to be a debugger in its source code. A binary of it is available in the VOGONS forum. Lacking that, Try a number of other debuggers available . Seriously though, there are a lot of them, due to the sheer popularity of DOS among 90's programmers.

For PKLite or LZ9x compressed executables, 9 times out of 10, you can use UNP 4.1.2 .

I also have a rare extractor program (Extractor by Nova Software), which I use sometimes on older games. It's designed for mid-2000's Windows computers though, so it may act a little funky on your side. The site for it is down and I'm not sure if I should upload it anywhere (Here's a temporary link. Download it while you can..

If there's anything else, bring it up here and hopefully someone far more knowledgeable than me will appear.
rubber_chicken
Random nobody
Level: 6


Posts: 2/9
EXP: 771
For next: 136

Since: 07-28-15


Since last post: 116 days
Last activity: 116 days

Posted on 07-31-15 04:13:24 AM Link | Quote
Hello,

Thank you for your answer.
I already know the existance of IDA and the debug mode of DOSBox.
To be honnest, I've never understood how to use the debug mode of DOSBox and, maybe I did it wrong, but I haven't found a lot of documentation about it. In fact, it is quite rare and not very helpful.

So far I looking to reverse engineer the DOS version of Fire & Ice.
Everything is packed into a single executable FIRE.EXE (md5sum f29c3dd71b531086b22fcac86664c923), and I would like to understand how to unpack it and how to extract the music, maps and graphics out of it.a
divingkataetheweirdo

Lantern Ghost
TCRF Super Editor
Level: 51


Posts: 537/764
EXP: 1012012
For next: 1926

Since: 07-09-11


Since last post: 3 hours
Last activity: 2 hours

Posted on 07-31-15 07:59:38 PM (last edited by divingkataetheweirdo at 08-01-15 02:42:48 AM) Link | Quote
Pressing ''Alt'' and '''Pause/Break''' when the DOSBox windows is selected causes the program to pause/break, thus allowing the debugger to be used. Pressing "F5" when the debugger window is selected unpauses it and continues normal operation.

Just from the text mode screen where I can select my options, the program is constantly referring to the Programmable Interrupt timer, constantly. From the beginning of the program, this is mostly just for the moving picture of Cool Coyote in the background.

So, with DOSBox's debugger, I can see the program is running code from segment 01A5, so I dump the memory from that segment, as well as the one next to it. The CS register is what appears to be holding that number.

If I want to dump the memory and view it in a program, I need to click on the debugger windows and type "memdumpbin 01a5:0000 (the length of the memory you want to dump in bytes)" in there (without quotation marks). The aforementioned command is to be typed from DOSBox's debugger. 0000 is the beginning of segment 01A5, while the length I chose is 400000.

This dumps the memory into a .bin file called memdump. On my version, this is in the same directory as I put the debug binary in.

There's an old, but useful, program called Tile Molester. With it, I determined that the graphics are 8bpp planar in memory (oddly enough, that's with 16-color VGA). I can see the font used by the game, but not much else. Tile Molester, by default, splits things into 8x8 blocks. Make sure you set the mode to 1-dimensional. All of this is set under the 'View' menu in that program.

One last thing, here's the text for the program set-up that I could extract:

"Please select control method:.#.O1) Keyboard.#.O2) Joystick.
..O Please select video mode: .#.O1) VGA 16 .#.O2) EGA 16 .
..O Please select music: .#.O1) Roland .#.O2) SoundBlaster .#.O3) Beeper .#.O4) No music .
SoundBlaster"

So yeah, it's likely the music data is split into at least three parts.

Oh yeah, and don't forget about the hex editor. You can use that for searching through memdump.bin. There are a huge number of hex editors out there, but the ones I use are HxD and MadEdit.

EDIT: Here's some info on the MZ header.
divingkataetheweirdo

Lantern Ghost
TCRF Super Editor
Level: 51


Posts: 543/764
EXP: 1012012
For next: 1926

Since: 07-09-11


Since last post: 3 hours
Last activity: 2 hours

Posted on 08-17-15 04:18:34 AM (last edited by divingkataetheweirdo at 08-17-15 06:03:17 AM) Link | Quote
So, this game has some evil copy protection.

The method itself is really simple - just enter a letter from the manual based on the page, the line, the word and the letter.

But how they coded that in is rather devious. The executable itself is a mess to go through. For starters, the strings all over the place and most of them aren't...attached. I think there's some map data toward the end of the executable. There are many more strings uncompressed in memory.

(Compressed in the exe, Uncompressed)
DO[EF EF]S Ver[FC 71]ion 1 f[FF FF]ound.
DO[ ]S Ver[ s ]ion 1 found.

Unable to r[F0] Program
Unable to r[ un ] Program

The text itself is at least compressed. ( I'm now having to use this to go through.) But the rest is really weird, with what I can only presume are bad opcodes, compression (Initial suspicions are that it's Huffman) and encryption going on. Also, breakpoints and interrupts, quite a few of them. For starters, there's an interrupt used for the set-up screen.

If you insist on using IDA, turn off VxD calls (those are Windows things) and Unicode strings.

Finally...here's a file listing that's normally compressed, but DOSBox got uncompressed for me:
detect3.huf
roland.huf
adlib.huf
SBlaster.huf
tandy.huf
beeper.huf
Infobloc.Huf
face.huf
eyes.huf
FireIce.huf
Coyote.huf
loader.huf
windows.huf
norm2.huf
hiscore.F&I
Fire&ice.cfg
Control-.bin
Cont_Dif.huf
Testscrn.tex
Ti_Diff.huf
Sn_Diff.huf
Ca_Diff.huf
Se_Diff.huf
Fo_Diff.huf
In_Diff.huf
Ro_Diff.huf
Ho_Diff.huf
screen.huf
solute.huf
temp3.huf
Head_.huf
fire_top.huf
fire_mid.huf
fire_bot.huf
SpeedMid.huf
chars.huf
ega.huf
tga.huf

So, there's an obscure 1995 shareware release of the game. However, I could not find any downloads for that, so I presume registered versions are extremely rare. The one I'm going through is the earlier 1992/1993 one, which is presumably the same version as yours.

The memory dumping is done through HxD, which works well for 32-bit apps, but not so much for 64-bit ones. DOSBox happens to be a 32-bit app fortunately, as is the version on VOGONS.

So, an initial look shows that code that's responsible the initial load (for the set-up program) starts around FDBE (hex).
Next newer thread | Next older thread
Jul - Computers - Looking for a DOS/Win16 reverse engineering mentor New poll - New thread - New reply




Rusted Logic

Acmlmboard - commit 2f1bc75 [2017-08-27]
©2000-2017 Acmlm, Xkeeper, Inuyasha, et al.

27 database queries, 3 query cache hits.
Query execution time: 0.126566 seconds
Script execution time: 0.007038 seconds
Total render time: 0.133604 seconds