05 March 2015, 07:01 | #1 |
Registered User
Join Date: Oct 2014
Location: New Zealand
Posts: 62
|
Disassembling - finding a game start address
How would I go about finding out where the start address is for a game - in general.
I'm using WinUAE so I can freeze the game (non-WB game) and start using the debugger. Is it possible to determine the start address of the code by continuously popping addresses off the stack? The game is one of many cracked games. |
05 March 2015, 07:39 | #2 | |
Natteravn
Join Date: Nov 2009
Location: Herford / Germany
Posts: 2,496
|
Quote:
You will have to follow the old-school method of disassembling the boot-loader and find out where the main program is loaded and executed. |
|
05 March 2015, 07:41 | #3 |
2 contact me: email only!
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,182
|
It depends on the game. If it's an old single file crack, the jump address is very easy to extract out of the cruncher. Popping addresses off the stack will only return you to a routine that jumped or branched to a subroutine, so if the game had a jump earlier on then that won't be on the stack.
What game is it, and why exactly do you want the start address anyway? |
05 March 2015, 07:53 | #4 | |
Registered User
Join Date: Oct 2014
Location: New Zealand
Posts: 62
|
Quote:
The reason I'd like the start address is to get a starting point to try and figure out how the game works. Do think there's a better way? The other thing I was thinking of doing was looking for obvious custom chip addresses in the code but ideally I'd like to know where the starting location is - assuming that the code isn't self-modifying. Thanks. Whats the best way to follow the boot-loader? Do you have a favourite tool or book. I have a copy of ReSource - I think that can load the boot-loader content directly can't it? Or will I have to use a "Disk Editor" tool in conjunction with the RKM Devices manual? Devices manual.. hmm.. Isn't the boot-loader documented in the Hardware Ref Manual? I'm going to have to have to go and look aren't I. Last edited by TCD; 05 March 2015 at 12:55. Reason: Back-to-back posts merged. |
|
05 March 2015, 08:39 | #5 |
Natteravn
Join Date: Nov 2009
Location: Herford / Germany
Posts: 2,496
|
On an NDOS disk you will usually start disassembling the boot block. This can be done with any disassembler you like. You don't need to reassemble it.
In the case of Mercenary we have a simple DOS disk, which will execute the file "c/Escape_From_Targ". Here it makes sense to reassemble this program, because the developers were so friendly to leave the symbols in. First it loads Game1_Code into an allocated Chip memory region: Code:
grasp_mem: MOVE.L Block0_Size,D0 ;06e: 2039000000ec MOVE.L #$00010002,D1 ;074: 223c00010002 MOVEA.L ABSEXECBASE.W,A6 ;07a: 2c780004 JSR -198(A6) ;07e: 4eaeff3a TST.L D0 ;082: 4a80 BEQ.W BOMB ;084: 6700000a MOVE.L D0,Block0_Data ;088: 23c0000000f0 RTS ;08e: 4e75 BOMB: JMP EXT_0000 ;090: 4ef900000000 load: MOVE.L #Block0_Name,D1 ;096: 223c000000dc MOVE.L #$000003ed,D2 ;09c: 243c000003ed MOVEA.L _DOSBase,A6 ;0a2: 2c790000005a JSR -30(A6) ;0a8: 4eaeffe2 MOVE.L D0,File_handle ;0ac: 23c0000000f4 MOVE.L Block0_Size,D3 ;0b2: 2639000000ec MOVE.L Block0_Data,D2 ;0b8: 2439000000f0 MOVE.L D0,D1 ;0be: 2200 MOVEA.L _DOSBase,A6 ;0c0: 2c790000005a JSR -42(A6) ;0c6: 4eaeffd6 MOVE.L File_handle,D1 ;0ca: 2239000000f4 MOVEA.L _DOSBase,A6 ;0d0: 2c790000005a JSR -36(A6) ;0d6: 4eaeffdc RTS ;0da: 4e75 Block0_Name: ;0dc ;DC.B $44,$46,$30,$3a,$47,$61,$6d,$65,$31,$5f,$43,$6f,$64,$65,$00,$00 DC.B "DF0:Game1_Code",0,0 Block0_Size: DC.L $0002a000 ;0ec Block0_Data: DS.L 1 ;0f0 File_handle: DS.L 1 ;0f4 Code:
doit: MOVE.L Block0_Data,D6 ;0f8: 2c39000000f0 LEA L_002(PC),A0 ;0fe: 41fa000a MOVE.L A0,TRAP_01 ;102: 23c800000080 TRAP #0 ;108: 4e40 L_002: MOVE #$2700,SR ;10a: 46fc2700 LEA doit2(PC),A0 ;10e: 41fa001a LEA EXT_0004,A1 ;112: 43f900001000 MOVE.L #$00000800,D0 ;118: 203c00000800 doit1: MOVE.L (A0)+,(A1)+ ;11e: 22d8 DBF D0,doit1 ;120: 51c8fffc JMP EXT_0004 ;124: 4ef900001000 doit2: MOVEA.W #$6000,A7 ;12a: 3e7c6000 LEA Copper_List(PC),A0 ;12e: 41fa0082 LEA EXT_0003,A1 ;132: 43f900000544 MOVE.W #$0020,D0 ;138: 303c0020 L_003: MOVE.L (A0)+,(A1)+ ;13c: 22d8 DBF D0,L_003 ;13e: 51c8fffc BSR.W L_019 ;142: 6100003a MOVE.L #$0000a800,D0 ;146: 203c0000a800 MOVEA.L D6,A0 ;14c: 2046 MOVEA.L #$00040000,A1 ;14e: 227c00040000 CMPA.L A0,A1 ;154: b3c8 BCS.W copy_up ;156: 6500001a ADDA.L #$0002a000,A0 ;15a: d1fc0002a000 ADDA.L #$0002a000,A1 ;160: d3fc0002a000 copy_down: MOVE.L -(A0),-(A1) ;166: 2320 DBF D0,copy_down ;168: 51c8fffc JMP EXT_0005 ;16c: 4ef9000401c0 copy_up: MOVE.L (A0)+,(A1)+ ;172: 22d8 DBF D0,copy_up ;174: 51c8fffc JMP EXT_0005 ;178: 4ef9000401c0 |
05 March 2015, 09:11 | #6 | |
Registered User
Join Date: Oct 2014
Location: New Zealand
Posts: 62
|
Quote:
Hey - thanks for doing this - I wish I was this good!!! |
|
05 March 2015, 09:21 | #7 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 8,987
|
Is it my version of Mercenary and Second City by any chance?
|
05 March 2015, 09:25 | #8 |
Registered User
Join Date: Oct 2014
Location: New Zealand
Posts: 62
|
|
05 March 2015, 09:28 | #9 | |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 8,987
|
Quote:
Would imagine they are single filed and easy to do. If you were lazy, you could probably use a util like DLD which is a depacker util, and if they used an absolute packer, on depacking the game files, it will give you the load address and start address for the file when it depacks. If that doesn't work, actually loading up the file in a dissassembler you should be able to find the depack address quite easily. On older releases, invariably the load address was the same as the address to activate the game. |
|
05 March 2015, 09:43 | #10 | |
Registered User
Join Date: Oct 2014
Location: New Zealand
Posts: 62
|
Quote:
Call me nuts but I do have an interest in all of the Mercenary games. |
|
05 March 2015, 09:45 | #11 | ||
Natteravn
Join Date: Nov 2009
Location: Herford / Germany
Posts: 2,496
|
Quote:
Quote:
|
||
05 March 2015, 09:57 | #12 |
Registered User
Join Date: Oct 2014
Location: New Zealand
Posts: 62
|
Thats impressive. Similar to a .PDB file in a way I guess. I wonder if I'll be so lucky with Damocles and Mercenary 3..
|
05 March 2015, 12:36 | #13 |
Going nowhere
Join Date: Oct 2001
Location: United Kingdom
Age: 50
Posts: 8,987
|
All of the Mercenary games were NonDOS custom format disks as a form of Copy protection.
However, with the exception of the titlepics, the games themselves were single load affairs, i.e. once the game started, all the data that was required by the game was already in memory and it didn't physically need to load from the disk again. All of the Mercenary games were single filed back in the day, but invariably missing out the title screens. Crystal cracked Damocles, and retained the title picture, but they used a custom fileloader which meant it couldn't be run from hard drive. I cracked Mercenary Escape from Targ and Mercenary The Second City a few years ago as single files but with the titlepics retained. My version is at: http://grandis.nu:81/eabsearch/searc...xclude=&limit= Its the first in the listing. Because of the size of the games and that they crunch down very well, it is inconceivable that they were not single filed no matter who cracked them. |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Disassembling games to find out the game logic? | Jonathan Drain | Coders. General | 14 | 20 November 2012 02:24 |
Blizzard PPC FastRAM start address | phx | Coders. General | 2 | 12 February 2010 16:05 |
Need Help Finding A PC Game..... | yugioh | Looking for a game name ? | 1 | 17 December 2008 09:07 |
command line to start a confil + start the game | Unregistered | New to Emulation or Amiga scene | 4 | 17 October 2004 10:31 |
help finding this game | Unregistered | support.Games | 3 | 16 July 2004 10:17 |
|
|