Disassembling - finding a game start address

[SparkyNZ]

How would I go about finding out where the start address is for a game - in general.

I'm using WinUAE so I can freeze the game (non-WB game) and start using the debugger. Is it possible to determine the start address of the code by continuously popping addresses off the stack?

The game is one of many cracked games.

[phx]

Quote:

Originally Posted by SparkyNZ

I'm using WinUAE so I can freeze the game (non-WB game) and start using the debugger. Is it possible to determine the start address of the code by continuously popping addresses off the stack?

Usually not. You can only guess where the return addresses on the stack are. There can be any amount of data between them. Also the game may start over several direct or indirect jumps or exceptions (like TRAP, for switching into supervisor mode).

You will have to follow the old-school method of disassembling the boot-loader and find out where the main program is loaded and executed.

[Codetapper]

It depends on the game. If it's an old single file crack, the jump address is very easy to extract out of the cruncher. Popping addresses off the stack will only return you to a routine that jumped or branched to a subroutine, so if the game had a jump earlier on then that won't be on the stack.

What game is it, and why exactly do you want the start address anyway?

[SparkyNZ]

Quote:

Originally Posted by Codetapper

What game is it, and why exactly do you want the start address anyway?

Its Mercenary, Escape from Targ (Second City also on the same disk). There are two "game files" on the disk which can be seen via CLI but they don't appear to be executable.

The reason I'd like the start address is to get a starting point to try and figure out how the game works. Do think there's a better way? The other thing I was thinking of doing was looking for obvious custom chip addresses in the code but ideally I'd like to know where the starting location is - assuming that the code isn't self-modifying.

Quote:

Originally Posted by phx

You will have to follow the old-school method of disassembling the boot-loader and find out where the main program is loaded and executed.

Thanks. Whats the best way to follow the boot-loader? Do you have a favourite tool or book. I have a copy of ReSource - I think that can load the boot-loader content directly can't it? Or will I have to use a "Disk Editor" tool in conjunction with the RKM Devices manual? Devices manual.. hmm.. Isn't the boot-loader documented in the Hardware Ref Manual? I'm going to have to have to go and look aren't I.

[phx]

On an NDOS disk you will usually start disassembling the boot block. This can be done with any disassembler you like. You don't need to reassemble it.

In the case of Mercenary we have a simple DOS disk, which will execute the file "c/Escape_From_Targ". Here it makes sense to reassemble this program, because the developers were so friendly to leave the symbols in.

First it loads Game1_Code into an allocated Chip memory region:

Code:

grasp_mem:
        MOVE.L  Block0_Size,D0          ;06e: 2039000000ec
        MOVE.L  #$00010002,D1           ;074: 223c00010002
        MOVEA.L ABSEXECBASE.W,A6        ;07a: 2c780004
        JSR     -198(A6)                ;07e: 4eaeff3a
        TST.L   D0                      ;082: 4a80
        BEQ.W   BOMB                    ;084: 6700000a
        MOVE.L  D0,Block0_Data          ;088: 23c0000000f0
        RTS                             ;08e: 4e75
BOMB:
        JMP     EXT_0000                ;090: 4ef900000000
load:
        MOVE.L  #Block0_Name,D1         ;096: 223c000000dc
        MOVE.L  #$000003ed,D2           ;09c: 243c000003ed
        MOVEA.L _DOSBase,A6             ;0a2: 2c790000005a
        JSR     -30(A6)                 ;0a8: 4eaeffe2
        MOVE.L  D0,File_handle          ;0ac: 23c0000000f4
        MOVE.L  Block0_Size,D3          ;0b2: 2639000000ec
        MOVE.L  Block0_Data,D2          ;0b8: 2439000000f0
        MOVE.L  D0,D1                   ;0be: 2200
        MOVEA.L _DOSBase,A6             ;0c0: 2c790000005a
        JSR     -42(A6)                 ;0c6: 4eaeffd6
        MOVE.L  File_handle,D1          ;0ca: 2239000000f4
        MOVEA.L _DOSBase,A6             ;0d0: 2c790000005a
        JSR     -36(A6)                 ;0d6: 4eaeffdc
        RTS                             ;0da: 4e75
Block0_Name:
        ;0dc
        ;DC.B   $44,$46,$30,$3a,$47,$61,$6d,$65,$31,$5f,$43,$6f,$64,$65,$00,$00
        DC.B    "DF0:Game1_Code",0,0
Block0_Size:
        DC.L    $0002a000               ;0ec
Block0_Data:
        DS.L    1                       ;0f0
File_handle:
        DS.L    1                       ;0f4

Then it switches to supervisor mode, installs a copper list and copies the game code $40000. The game is started at $401c0.

Code:

doit:
        MOVE.L  Block0_Data,D6          ;0f8: 2c39000000f0
        LEA     L_002(PC),A0            ;0fe: 41fa000a
        MOVE.L  A0,TRAP_01              ;102: 23c800000080
        TRAP    #0                      ;108: 4e40
L_002:
        MOVE    #$2700,SR               ;10a: 46fc2700
        LEA     doit2(PC),A0            ;10e: 41fa001a
        LEA     EXT_0004,A1             ;112: 43f900001000
        MOVE.L  #$00000800,D0           ;118: 203c00000800
doit1:
        MOVE.L  (A0)+,(A1)+             ;11e: 22d8
        DBF     D0,doit1                ;120: 51c8fffc
        JMP     EXT_0004                ;124: 4ef900001000
doit2:
        MOVEA.W #$6000,A7               ;12a: 3e7c6000
        LEA     Copper_List(PC),A0      ;12e: 41fa0082
        LEA     EXT_0003,A1             ;132: 43f900000544
        MOVE.W  #$0020,D0               ;138: 303c0020
L_003:
        MOVE.L  (A0)+,(A1)+             ;13c: 22d8
        DBF     D0,L_003                ;13e: 51c8fffc
        BSR.W   L_019                   ;142: 6100003a
        MOVE.L  #$0000a800,D0           ;146: 203c0000a800
        MOVEA.L D6,A0                   ;14c: 2046
        MOVEA.L #$00040000,A1           ;14e: 227c00040000
        CMPA.L  A0,A1                   ;154: b3c8
        BCS.W   copy_up                 ;156: 6500001a
        ADDA.L  #$0002a000,A0           ;15a: d1fc0002a000
        ADDA.L  #$0002a000,A1           ;160: d3fc0002a000
copy_down:
        MOVE.L  -(A0),-(A1)             ;166: 2320
        DBF     D0,copy_down            ;168: 51c8fffc
        JMP     EXT_0005                ;16c: 4ef9000401c0
copy_up:
        MOVE.L  (A0)+,(A1)+             ;172: 22d8
        DBF     D0,copy_up              ;174: 51c8fffc
        JMP     EXT_0005                ;178: 4ef9000401c0

[SparkyNZ]

Quote:

Originally Posted by phx

Here it makes sense to reassemble this program, because the developers were so friendly to leave the symbols in.

Sorry, how do you means that the developers left the symbols in? Are you saying that there is a map file of sorts (or code section) which lists the library function call names etc?

Hey - thanks for doing this - I wish I was this good!!!

[Galahad/FLT]

Quote:

Originally Posted by SparkyNZ

Sorry, how do you means that the developers left the symbols in? Are you saying that there is a map file of sorts (or code section) which lists the library function call names etc?

Hey - thanks for doing this - I wish I was this good!!!

Is it my version of Mercenary and Second City by any chance?

[SparkyNZ]

Quote:

Originally Posted by Galahad/FLT

Is it my version of Mercenary and Second City by any chance?

Is this one yours? ..

Mercenary Compendium (1988)(Novagen)[cr BS1 - TKT].adf

[Galahad/FLT]

Quote:

Originally Posted by SparkyNZ

Is this one yours? ..

Mercenary Compendium (1988)(Novagen)[cr BS1 - TKT].adf

Nope, thats Bamiga Sector 1 and The Kent Team

Would imagine they are single filed and easy to do. If you were lazy, you could probably use a util like DLD which is a depacker util, and if they used an absolute packer, on depacking the game files, it will give you the load address and start address for the file when it depacks.

If that doesn't work, actually loading up the file in a dissassembler you should be able to find the depack address quite easily.

On older releases, invariably the load address was the same as the address to activate the game.

[SparkyNZ]

Quote:

Originally Posted by Galahad/FLT

Would imagine they are single filed and easy to do. If you were lazy, you could probably use a util like DLD which is a depacker

I'm pretty lazy.. but it is good to know what I'm doing. I'm quite busy with another project at the moment but I'm just tinkering and doing a bit of research before I start fiddling and nosing around the Mercenary games. Many years ago some kind person cracked Mercenary 3 for me - I bought it cheap when I had an A1200 and it wouldn't run on the AGA machine. That person cracked it in an hour or so and sent me a copy that worked on my A1200. So by the looks of things, Damocles and Mercenary 3 will be NDOS disks.. unless there are cracked copies out there which are normal DOS disks of course? Perhaps you cracked these too?

Call me nuts but I do have an interest in all of the Mercenary games.

[phx]

Quote:

Originally Posted by SparkyNZ

Sorry, how do you means that the developers left the symbols in?

Most labels which you see in the reassembly are the labels from the original source text.

Quote:

Are you saying that there is a map file of sorts (or code section) which lists the library function call names etc?

The HUNK_CODE (code section contents) is accompanied by a HUNK_SYMBOL, which defines all those label names and offsets.

[SparkyNZ]

Quote:

Originally Posted by phx

Most labels which you see in the reassembly are the labels from the original source text.

The HUNK_CODE (code section contents) is accompanied by a HUNK_SYMBOL, which defines all those label names and offsets.

Thats impressive. Similar to a .PDB file in a way I guess. I wonder if I'll be so lucky with Damocles and Mercenary 3..

[Galahad/FLT]

All of the Mercenary games were NonDOS custom format disks as a form of Copy protection.

However, with the exception of the titlepics, the games themselves were single load affairs, i.e. once the game started, all the data that was required by the game was already in memory and it didn't physically need to load from the disk again.

All of the Mercenary games were single filed back in the day, but invariably missing out the title screens.

Crystal cracked Damocles, and retained the title picture, but they used a custom fileloader which meant it couldn't be run from hard drive.

I cracked Mercenary Escape from Targ and Mercenary The Second City a few years ago as single files but with the titlepics retained.

My version is at: http://grandis.nu:81/eabsearch/searc...xclude=&limit=

Its the first in the listing.

Because of the size of the games and that they crunch down very well, it is inconceivable that they were not single filed no matter who cracked them.