07 March 2018, 05:33 | #1 |
Posts: n/a
|
Help/Guidance reverse engineering a demo
Hi,
I would like to practice my RE skills. I'm trying to reverse engineer the State of the Art demo from an adf I've downloaded. Eventually I would like to re-code it in javascript for fun. My first problem is that I'm not so comfortable about how a track loader is working and can't really figure out the "entry point" of the demo itself. I've been following pointers from this post http://www.woodmann.com/forum/archiv...hp/t-4514.html to try to figure out where the code of the demo is loaded in memory and then use the FS-UAE debugger to do step by step. If someone is willing to provide guidance/help I could start pasting some of my findings. |
07 March 2018, 07:21 | #2 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Disassemble the bootblock. You will see which file is loaded to which address then. Then diassemble that file and locate the trackloader (usally very easy to spot, just look for code which searches for the SYNC marker ($4489)). You don't have to know how the trackloader is working, you only need to know which data it loads to which locations. Which can be easily figured out by checking the loader calls. Then you can use that info to disassemble all the other parts of the demo.
|
07 March 2018, 23:36 | #3 |
Posts: n/a
|
I sticked the asm dump of the first track in a public gist here
State of the art first adf tracks asm dump I can locate some code looking for the markers. For example Code:
000DC1C4 loc_DC1C4: ; CODE XREF: RAM:000DC1C8j 000DC1C4 cmpi.w #$4489,(a2)+ 000DC1C8 bne.s loc_DC1C4 000DC1CA cmpi.w #$4489,(a2) 000DC1CE bne.s loc_DC1D2 000DC1D0 addq.l #2,a2 A little guidance would be most welcome. My understanding so far is that it starts copying what's in between addresses 0xDC034 and 0xDC2B4 (relative to PC) to absolute address $100 and then jumps to $100, executing the copied code. Code:
000DC01E lea $DC034,a0 000DC022 lea $DC2B4,a1 000DC026 lea ($100).w,a2 000DC02A 000DC02A loc_DC02A: ; CODE XREF: RAM:000DC02Ej 000DC02A move.b (a0)+,(a2)+ 000DC02C cmpa.l a0,a1 000DC02E bne.s loc_DC02A 000DC030 jmp $100 Before doing that though I believe it calls a function: Code:
000DC00C bsr.w sub_DC2B4 000DC010 move.w #$7FFF,(word_DFF09A).l 000DC018 movea.l #$9A0,sp So now I need to understand the code which has been copied ... Will try to do loc_DC034, loc_DC03E & loc_DC070 when I got a chance but a few hints for the first blocks would me most welcome. |
08 March 2018, 08:50 | #4 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
sub_DC2B4 is a check for extra memory. As for the loader, think what it has to do: it needs at least 3 parameters: start offset, length, destination. Which in turn means you should look for code which passes 3 parameters to a sub-routine. If you have a closer look at $DC0A8 you might find something interesting...
No offence but I doubt you'll be able to disassemble the demo with your current knowledge. The boot code really is very easy to understand and you already struggle to continue. |
08 March 2018, 12:29 | #5 |
Posts: n/a
|
Thks for your help and no worries: no offence taken as, as you said it's just about a lack of knowledge about a particular piece of hardware ... it's neither a lack of motivation nor skills hopefully. I will pick it up.
Will check $DC0A8 when I got a chance. Again thanks for your help. Last edited by a.nonyme; 08 March 2018 at 23:52. |
20 March 2018, 11:31 | #6 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
I've found some of my old code which rips all files from SOTA. This should help you to get started. Source attached.
|
11 May 2018, 00:21 | #7 |
Posts: n/a
|
Thks man ! Was going to have another look at it :-)
Meanwhile I taught myself more 68k asm (I wrote a toy compiler with m68k backend supporting Amiga thanks to vasm. Check it out https://github.com/ssrb/tigerlang, it's a bit rubbish I think but it works ^^) |
11 May 2018, 09:29 | #8 |
This cat is no more
Join Date: Dec 2004
Location: FRANCE
Age: 52
Posts: 8,174
|
to reverse engineer the demo you could use the source code from whdload install of the demo.
No need to reverse engineer the trackloader of the demo... You need the functional parts. There will be more than 68000 asm here. There's a lot of custom chip tricks that a few people master. |
11 May 2018, 19:32 | #9 | |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
The code in SOTA is EXTREMELY simple, it's nothing more than a basic animation player. There aren't any real tricks used at all. It's more or less all "set up screen, call anim player code, load next part" kind of stuff. |
|
16 May 2018, 04:46 | #10 |
Posts: n/a
|
I set up github & travis with your ripper to start with. It's here https://github.com/ssrb/SOTA
I ran the exec in UAE and archived SOTAXXX_YYY.bin files. Drobbox: https://www.dropbox.com/s/mge11i1a7fqpokv/SOTA.zip?dl=0 For the SOTA.dsk I used the adf: ie I renamed from "Spaceballs - State of the Art.adf" to SOTA.dsk. Not sure that's the file that was expected though ? Gonna track my progress on that repo I guess. Thks for your help. |
16 May 2018, 11:13 | #11 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
The files look OK to me. File name extensions are track_length. Check the comments in the RipFiles.s source, they describe what is what.
|
24 May 2018, 06:04 | #12 |
Posts: n/a
|
Trying the de-crunching code in 21/1 and display that image.
Need to learn more about the Amiga chip-set too now. Last edited by a.nonyme; 24 May 2018 at 06:25. |
24 May 2018, 09:36 | #13 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
21_1 contains very easy to follow code, just displays the 4 "state" "of" "the" "art" pictures, fades the colors and plays a sample. And finally displays the credits picture. Make sure you fully understand the code before continuing with anything else!
|
25 May 2018, 01:53 | #14 |
Posts: n/a
|
It's happening here https://gist.github.com/ssrb/c37366b...2f68cab9a7bdde
Final version of the big function, need to make sens of it now ... Code:
//ROM:0005201E movea.l ($7C).w,a3 //ROM:00052022 adda.l #$20000,a3 const char *src = *((const char *)0x7C) + 0x20000 //ROM:00052028 lea ($6CB10).l,a0 char *dst = 0x6CB10 //ROM:0005202E bsr.w sub_5273 decrunch(src, dst); // ROM:0005273E sub_5273E: void decrunch(const char *src /*a3*/, char *dst /*a0*/) { // ROM:0005273E lea $C(a3),a5 const uint32_t *srcstart = (const uint32_t *)(src + 0xC); // ROM:00052742 movea.l a0,a4 uint32_t *dststart = (uint32_t *)dst; // ROM:00052744 adda.l 8(a3),a5 size_t srclen = *(const uint32_t *)(src + 0x8); const uint32_t *srccurr = srcstart + srclen; // ROM:00052748 adda.l 4(a3),a0 size_t dstlen = *(const uint32_t *)(src + 0x4); char *dstcurr = dststart + dstlen; // ROM:0005274C moveq #$7F,d3 // ROM:0005274E moveq #0,d4 // ROM:00052750 moveq #3,d5 // ROM:00052752 moveq #7,d6 // ROM:00052754 move.b 3(a3),d4 // ROM:00052758 move.l -(a5),d7 uint32_t data = *(--srccurr); // ROM:0005275A loc_5275A: do { // ROM:0005275A moveq #0,d2 int idx = 0; // ROM:0005275C lsr.l #1,d7 uint32_t cflag = data & 1; uint32_t xflag = cflag; data >>= 1; // ROM:0005275E bne.s loc_52764 if (data == 0) { // ROM:00052760 move.l -(a5),d7 data = *(--srccurr); // ROM:00052762 roxr.l #1,d7 cflag = data & 1; data >>= 1; data |= xflag << 31; xflag = cflag; } // ROM:00052764 loc_52764: // ROM:00052764 bcc.s loc_52788 if (cflag) { uint8_t idx2 = 0; // ROM:00052766 loc_52766: do { // ROM:00052766 move.w d5,d1 // ROM:00052768 bsr.s sub_527D0 idx2 = sub_527D0(3); // ROM:0005276A add.l d0,d2 idx += idx2; // ROM:0005276C cmp.w d6,d0 // ROM:0005276E beq.s loc_52766 } while (idx2 == 7); // ROM:00052770 loc_52770: do { //ROM:00052770 move.w d6,d1 int cnt = 7; // ROM:00052772 loc_52772: do { // ROM:00052772 lsr.l #1,d7 cflag = data & 1; xflag = cflag; data >>= 1; // ROM:00052774 bne.s loc_5277A if (data == 0) { // ROM:00052776 move.l -(a5),d7 data = *(--srccurr); // ROM:00052778 roxr.l #1,d7 cflag = data & 1; data >>= 1; data |= xflag << 31; xflag = cflag; } // ROM:0005277A loc_5277A: // ROM:0005277A roxr.b #1,d0 cflag = idx2 & 1; idx2 >> 1; idx2 |= xflag << 7; xflag = cflag; // ROM:0005277C dbf d1,loc_52772 } while (--cnt != -1); // ROM:00052780 move.b d0,-(a0) *dstcurr = idx2; --dstcurr; idx -= 1; // ROM:00052782 subq.l #1,d2 // ROM:00052784 bne.s loc_52770 } while (idx != 0); // ROM:00052786 bra.s loc_527CA } else { int idx2 = 0; // ROM:00052788 loc_52788: // ROM:00052788 moveq #1,d1 // ROM:0005278A bsr.s sub_527D2 // ROM:0005278C moveq #0,d1 // ROM:0005278E move.l d0,d2 idx = sub_527D2(1); // ROM:00052790 move.b (a3,d0.w),d1 char val = src[idx & 0xF]; // ROM:00052794 cmp.w d5,d0 // ROM:00052796 bne.s loc_527BE if (idx == 3) { // ROM:00052798 lsr.l #1,d7 cflag = data & 1; xflag = cflag; data >>= 1; // ROM:0005279A bne.s loc_527A0 if (data == 0) { // ROM:0005279C move.l -(a5),d7 data = *(--srccurr); // ROM:0005279E roxr.l #1,d7 cflag = data & 1; data >>= 1; data |= xflag << 31; xflag = cflag; } // ROM:000527A0 loc_527A0: // ROM:000527A0 bcs.s loc_527B2 if (!cflag) { // ROM:000527A2 loc_527A2: do { // ROM:000527A2 move.w d6,d1 // ROM:000527A4 bsr.s sub_527D0 idx2 = sub_527D0(7); // ROM:000527A6 add.l d0,d2 idx += idx2; // ROM:000527A8 cmp.w d3,d0 // ROM:000527AA beq.s loc_527A2 } while (idx2 == 0x7F); // ROM:000527AC add.l d6,d2 // ROM:000527AE add.l d6,d2 idx += 2 * 7; // ROM:000527B0 bra.s loc_527BC } else { // ROM:000527B2 loc_527B2: do { // ROM:000527B2 move.w d5,d1 // ROM:000527B4 bsr.s sub_527D0 idx2 = sub_527D0(3); // ROM:000527B6 add.l d0,d2 idx += idx2; // ROM:000527B8 cmp.w d6,d0 // ROM:000527BA beq.s loc_527B2 } while (idx2 == 7); } // ROM:000527BC loc_527BC: // ROM:000527BC move.w d4,d1 val = src[3]; } // if (idx = c) // ROM:000527BE loc_527BE: // ROM:000527BE addq.l #1,d2 idx += 1; // ROM:000527C0 bsr.s sub_527D2 int idx3 = sub_527D2(val); // ROM:000527C2 loc_527C2: do { // ROM:000527C2 move.b (a0,d0.w),-(a0) *dstcurr = dstcurr[idx3]; --dstcurr; // ROM:000527C6 subq.l #1,d2 idx -= 1; // ROM:000527C8 bpl.s loc_527C2 } while (idx > 0); } // ROM:000527CA loc_527CA: // ROM:000527CA cmpa.l a0,a4 // ROM:000527CC bcs.s loc_5275A } while (dstcurr >= dststart); // ROM:000527CE rt } Last edited by a.nonyme; 25 May 2018 at 06:36. |
26 May 2018, 06:27 | #15 |
Posts: n/a
|
How about the "James Bond Girls" before 0x52000/21_1 though ?
The "State" "Of" "The" "Art" comes after the JBGs. Do you remember which section it is ? |
26 May 2018, 20:26 | #16 | ||
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Quote:
This is the PowerPacker decruncher code. Quote:
That code should be in the first loader part if memory serves me right but I can't remember which file that is. Something for you to find out. |
||
27 May 2018, 05:03 | #17 |
Posts: n/a
|
Thks for this information ! I found a C++ version of "PowerPacker" on github to compare with at https://github.com/ipr/PowerPacker-decrunch
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Gods reverse engineering | Kroah | Retrogaming General Discussion | 127 | 27 February 2023 14:46 |
Reverse engineering wiki | copse | Coders. General | 10 | 02 March 2020 09:48 |
Reverse engineering from an executable | bloodline | Coders. General | 13 | 20 August 2017 08:50 |
Captive 2 reverse engineering | copse | Coders. General | 2 | 19 August 2015 21:08 |
Cadaver reverse engineering | Kroah | Retrogaming General Discussion | 8 | 11 November 2011 09:35 |
|
|