Help/Guidance reverse engineering a demo

07 March 2018, 05:33

Hi,

I would like to practice my RE skills. I'm trying to reverse engineer the State of the Art demo from an adf I've downloaded. Eventually I would like to re-code it in javascript for fun.

My first problem is that I'm not so comfortable about how a track loader is working and can't really figure out the "entry point" of the demo itself.

I've been following pointers from this post http://www.woodmann.com/forum/archiv...hp/t-4514.html
to try to figure out where the code of the demo is loaded in memory and then use the FS-UAE debugger to do step by step.

If someone is willing to provide guidance/help I could start pasting some of my findings.

StingRay · 07 March 2018, 07:21

Disassemble the bootblock. You will see which file is loaded to which address then. Then diassemble that file and locate the trackloader (usally very easy to spot, just look for code which searches for the SYNC marker ($4489)). You don't have to know how the trackloader is working, you only need to know which data it loads to which locations. Which can be easily figured out by checking the loader calls. Then you can use that info to disassemble all the other parts of the demo.

07 March 2018, 23:36

I sticked the asm dump of the first track in a public gist here

State of the art first adf tracks asm dump

I can locate some code looking for the markers. For example

Code:

000DC1C4 loc_DC1C4:                              ; CODE XREF: RAM:000DC1C8j
000DC1C4                 cmpi.w  #$4489,(a2)+
000DC1C8                 bne.s   loc_DC1C4
000DC1CA                 cmpi.w  #$4489,(a2)
000DC1CE                 bne.s   loc_DC1D2
000DC1D0                 addq.l  #2,a2

But then I'm not sure where to go from there.

A little guidance would be most welcome.

My understanding so far is that it starts copying what's in between addresses
0xDC034 and 0xDC2B4 (relative to PC) to absolute address $100 and then jumps to $100, executing the copied code.

Code:

000DC01E                 lea     $DC034,a0
000DC022                 lea     $DC2B4,a1
000DC026                 lea     ($100).w,a2
000DC02A
000DC02A loc_DC02A:                              ; CODE XREF: RAM:000DC02Ej
000DC02A                 move.b  (a0)+,(a2)+
000DC02C                 cmpa.l  a0,a1
000DC02E                 bne.s   loc_DC02A
000DC030                 jmp     $100

Before doing that though I believe it calls a function:

Code:

000DC00C                 bsr.w   sub_DC2B4
000DC010                 move.w  #$7FFF,(word_DFF09A).l
000DC018                 movea.l #$9A0,sp

if I look at sub_DC2B4, it seems that the function is checking stuff, like what Amiga, memory extension or what not maybe ? Got no idea TBH.

So now I need to understand the code which has been copied ...

Will try to do loc_DC034, loc_DC03E & loc_DC070 when I got a chance but a few hints for the first blocks would me most welcome.

StingRay · 08 March 2018, 08:50

sub_DC2B4 is a check for extra memory. As for the loader, think what it has to do: it needs at least 3 parameters: start offset, length, destination. Which in turn means you should look for code which passes 3 parameters to a sub-routine. If you have a closer look at $DC0A8 you might find something interesting...

No offence but I doubt you'll be able to disassemble the demo with your current knowledge. The boot code really is very easy to understand and you already struggle to continue.

08 March 2018, 12:29

Thks for your help and no worries: no offence taken as, as you said it's just about a lack of knowledge about a particular piece of hardware ... it's neither a lack of motivation nor skills hopefully. I will pick it up.

Will check $DC0A8 when I got a chance.

Again thanks for your help.

StingRay · 20 March 2018, 11:31

I've found some of my old code which rips all files from SOTA. This should help you to get started. Source attached.

11 May 2018, 00:21

Thks man ! Was going to have another look at it :-)
Meanwhile I taught myself more 68k asm
(I wrote a toy compiler with m68k backend supporting Amiga thanks to vasm. Check it out https://github.com/ssrb/tigerlang, it's a bit rubbish I think but it works ^^)

jotd · 11 May 2018, 09:29

to reverse engineer the demo you could use the source code from whdload install of the demo.

No need to reverse engineer the trackloader of the demo... You need the functional parts.

There will be more than 68000 asm here. There's a lot of custom chip tricks that a few people master.

StingRay · 11 May 2018, 19:32

Quote:

Originally Posted by jotd

to reverse engineer the demo you could use the source code from whdload install of the demo.

Wouldn't really help that much when it comes to disassembling the actual demo code.

Quote:

Originally Posted by jotd

There will be more than 68000 asm here. There's a lot of custom chip tricks that a few people master.

The code in SOTA is EXTREMELY simple, it's nothing more than a basic animation player. There aren't any real tricks used at all. It's more or less all "set up screen, call anim player code, load next part" kind of stuff.

16 May 2018, 04:46

I set up github & travis with your ripper to start with. It's here https://github.com/ssrb/SOTA

I ran the exec in UAE and archived SOTAXXX_YYY.bin files.

Drobbox: https://www.dropbox.com/s/mge11i1a7fqpokv/SOTA.zip?dl=0

For the SOTA.dsk I used the adf: ie I renamed from "Spaceballs - State of the Art.adf" to SOTA.dsk. Not sure that's the file that was expected though ?

Gonna track my progress on that repo I guess.

Thks for your help.

StingRay · 16 May 2018, 11:13

The files look OK to me. File name extensions are track_length. Check the comments in the RipFiles.s source, they describe what is what.

24 May 2018, 06:04

Trying the de-crunching code in 21/1 and display that image.

Need to learn more about the Amiga chip-set too now.

StingRay · 24 May 2018, 09:36

21_1 contains very easy to follow code, just displays the 4 "state" "of" "the" "art" pictures, fades the colors and plays a sample. And finally displays the credits picture. Make sure you fully understand the code before continuing with anything else!

25 May 2018, 01:53

It's happening here https://gist.github.com/ssrb/c37366b...2f68cab9a7bdde

Final version of the big function, need to make sens of it now ...

Code:


//ROM:0005201E                 movea.l ($7C).w,a3
//ROM:00052022                 adda.l  #$20000,a3
const char *src = *((const char *)0x7C) + 0x20000
  
//ROM:00052028                 lea     ($6CB10).l,a0
char *dst = 0x6CB10

//ROM:0005202E                 bsr.w   sub_5273
decrunch(src, dst);  
  
// ROM:0005273E sub_5273E:
void decrunch(const char *src /*a3*/, char *dst /*a0*/) {

    // ROM:0005273E                 lea     $C(a3),a5
    const uint32_t *srcstart = (const uint32_t *)(src + 0xC); 

    // ROM:00052742                 movea.l a0,a4
    uint32_t *dststart = (uint32_t *)dst;

    // ROM:00052744                 adda.l  8(a3),a5
    size_t srclen = *(const uint32_t *)(src + 0x8);
    const uint32_t *srccurr = srcstart + srclen;

    // ROM:00052748                 adda.l  4(a3),a0
    size_t dstlen = *(const uint32_t *)(src + 0x4);
    char *dstcurr = dststart + dstlen;

    // ROM:0005274C                 moveq   #$7F,d3
    // ROM:0005274E                 moveq   #0,d4
    // ROM:00052750                 moveq   #3,d5
    // ROM:00052752                 moveq   #7,d6    
    // ROM:00052754                 move.b  3(a3),d4


    // ROM:00052758                 move.l  -(a5),d7
    uint32_t data = *(--srccurr);

    // ROM:0005275A loc_5275A:
    do {

        // ROM:0005275A                 moveq   #0,d2
        int idx = 0;

        // ROM:0005275C                 lsr.l   #1,d7
        uint32_t cflag = data & 1;
        uint32_t xflag = cflag;
        data >>= 1;

        // ROM:0005275E                 bne.s   loc_52764 
        if (data == 0) {
            // ROM:00052760                 move.l  -(a5),d7
            data = *(--srccurr);
            // ROM:00052762                 roxr.l  #1,d7
            cflag = data & 1;
            data >>= 1;
            data |= xflag << 31;
            xflag = cflag;
        }

        // ROM:00052764 loc_52764:
        // ROM:00052764                 bcc.s   loc_52788
        if (cflag) {

            uint8_t idx2 = 0;

            // ROM:00052766 loc_52766:
            do {
                // ROM:00052766                 move.w  d5,d1
                // ROM:00052768                 bsr.s   sub_527D0
                idx2 = sub_527D0(3);        
                // ROM:0005276A                 add.l   d0,d2
                idx += idx2;
                // ROM:0005276C                 cmp.w   d6,d0
                // ROM:0005276E                 beq.s   loc_52766
            } while (idx2 == 7);

            // ROM:00052770 loc_52770:
            do {
                
                //ROM:00052770                 move.w  d6,d1
                int cnt = 7;

                // ROM:00052772 loc_52772:
                do { 
                    // ROM:00052772                 lsr.l   #1,d7
                    cflag = data & 1;
                    xflag = cflag;
                    data >>= 1;

                    // ROM:00052774                 bne.s   loc_5277A
                    if (data == 0) {
                        // ROM:00052776                 move.l  -(a5),d7
                        data = *(--srccurr);
                        // ROM:00052778                 roxr.l  #1,d7
                        cflag = data & 1;
                        data >>= 1;
                        data |= xflag << 31;
                        xflag = cflag;
                    }

                    // ROM:0005277A loc_5277A:
                    // ROM:0005277A                 roxr.b  #1,d0
                    cflag = idx2 & 1;
                    idx2 >> 1;
                    idx2 |= xflag << 7;
                    xflag = cflag;
                    
                    // ROM:0005277C                 dbf     d1,loc_52772                    
                } while (--cnt != -1);

                // ROM:00052780                 move.b  d0,-(a0)
                *dstcurr = idx2;
                --dstcurr;

                idx -= 1;
                // ROM:00052782                 subq.l  #1,d2
                // ROM:00052784                 bne.s   loc_52770

            } while (idx != 0);

            // ROM:00052786                 bra.s   loc_527CA

        } else {

            int idx2 = 0;

            // ROM:00052788 loc_52788:
            // ROM:00052788                 moveq   #1,d1
            // ROM:0005278A                 bsr.s   sub_527D2
            // ROM:0005278C                 moveq   #0,d1
            // ROM:0005278E                 move.l  d0,d2
            idx = sub_527D2(1);
            // ROM:00052790                 move.b  (a3,d0.w),d1
            char val = src[idx & 0xF];
            
            // ROM:00052794                 cmp.w   d5,d0
            // ROM:00052796                 bne.s   loc_527BE
            if (idx == 3) {
            
                // ROM:00052798                 lsr.l   #1,d7
                cflag = data & 1;
                xflag = cflag;
                data >>= 1;
                
                // ROM:0005279A                 bne.s   loc_527A0
                if (data == 0) {
                    // ROM:0005279C                 move.l  -(a5),d7
                    data = *(--srccurr);
                    // ROM:0005279E                 roxr.l  #1,d7
                    cflag = data & 1;
                    data >>= 1;
                    data |= xflag << 31;
                    xflag = cflag;
                }
            
                // ROM:000527A0 loc_527A0:
                // ROM:000527A0                 bcs.s   loc_527B2
                if (!cflag) {
                    // ROM:000527A2 loc_527A2:
                    do {
                        // ROM:000527A2                 move.w  d6,d1
                        // ROM:000527A4                 bsr.s   sub_527D0
                        idx2 = sub_527D0(7);
                        // ROM:000527A6                 add.l   d0,d2
                        idx += idx2;
                        // ROM:000527A8                 cmp.w   d3,d0
                        // ROM:000527AA                 beq.s   loc_527A2
                    } while (idx2 == 0x7F);
                    // ROM:000527AC                 add.l   d6,d2
                    // ROM:000527AE                 add.l   d6,d2
                    idx += 2 * 7;
                    // ROM:000527B0                 bra.s   loc_527BC
                } else {
                    // ROM:000527B2 loc_527B2:
                    do {
                        // ROM:000527B2                 move.w  d5,d1
                        // ROM:000527B4                 bsr.s   sub_527D0
                        idx2 = sub_527D0(3);    
                        // ROM:000527B6                 add.l   d0,d2
                        idx += idx2;
                        // ROM:000527B8                 cmp.w   d6,d0
                        // ROM:000527BA                 beq.s   loc_527B2
                    } while (idx2 == 7);  
                }
            
                // ROM:000527BC loc_527BC:
                // ROM:000527BC                 move.w  d4,d1
                val = src[3];

            } // if (idx = c)
            
            // ROM:000527BE loc_527BE:
            // ROM:000527BE                 addq.l  #1,d2
            idx += 1;
            // ROM:000527C0                 bsr.s   sub_527D2
            int idx3 = sub_527D2(val);

            // ROM:000527C2 loc_527C2:
            do {
                // ROM:000527C2                 move.b  (a0,d0.w),-(a0)
                *dstcurr = dstcurr[idx3];
                --dstcurr;
                // ROM:000527C6                 subq.l  #1,d2
                idx -= 1;
                // ROM:000527C8                 bpl.s   loc_527C2
            } while (idx > 0);
        }

    // ROM:000527CA loc_527CA:
    // ROM:000527CA                 cmpa.l  a0,a4
    // ROM:000527CC                 bcs.s   loc_5275A
    } while (dstcurr >= dststart);

      // ROM:000527CE                 rt
}

The remaining functions for this section look pretty easy, like setting up hardware and what not, just need to dive deep into the HW manual I guess

26 May 2018, 06:27

How about the "James Bond Girls" before 0x52000/21_1 though ?
The "State" "Of" "The" "Art" comes after the JBGs. Do you remember which section it is ?

StingRay · 26 May 2018, 20:26

Quote:

Originally Posted by a.nonyme

Final version of the big function, need to make sens of it now ...

This is the PowerPacker decruncher code.

Quote:

Originally Posted by a.nonyme

How about the "James Bond Girls" before 0x52000/21_1 though ?
The "State" "Of" "The" "Art" comes after the JBGs. Do you remember which section it is ?

That code should be in the first loader part if memory serves me right but I can't remember which file that is. Something for you to find out.

27 May 2018, 05:03

Thks for this information ! I found a C++ version of "PowerPacker" on github to compare with at https://github.com/ipr/PowerPacker-decrunch

08 March 2018, 12:29	#5
a.nonyme Posts: n/a	Thks for your help and no worries: no offence taken as, as you said it's just about a lack of knowledge about a particular piece of hardware ... it's neither a lack of motivation nor skills hopefully. I will pick it up. Will check $DC0A8 when I got a chance. Again thanks for your help. Last edited by a.nonyme; 08 March 2018 at 23:52.

24 May 2018, 06:04	#12
a.nonyme Posts: n/a	Trying the de-crunching code in 21/1 and display that image. Need to learn more about the Amiga chip-set too now. Last edited by a.nonyme; 24 May 2018 at 06:25.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Gods reverse engineering	Kroah	Retrogaming General Discussion	127	27 February 2023 14:46
Reverse engineering wiki	copse	Coders. General	10	02 March 2020 09:48
Reverse engineering from an executable	bloodline	Coders. General	13	20 August 2017 08:50
Captive 2 reverse engineering	copse	Coders. General	2	19 August 2015 21:08
Cadaver reverse engineering	Kroah	Retrogaming General Discussion	8	11 November 2011 09:35

07 March 2018, 05:33	#1
a.nonyme Posts: n/a	Help/Guidance reverse engineering a demo Hi, I would like to practice my RE skills. I'm trying to reverse engineer the State of the Art demo from an adf I've downloaded. Eventually I would like to re-code it in javascript for fun. My first problem is that I'm not so comfortable about how a track loader is working and can't really figure out the "entry point" of the demo itself. I've been following pointers from this post http://www.woodmann.com/forum/archiv...hp/t-4514.html to try to figure out where the code of the demo is loaded in memory and then use the FS-UAE debugger to do step by step. If someone is willing to provide guidance/help I could start pasting some of my findings.

07 March 2018, 07:21	#2
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	Disassemble the bootblock. You will see which file is loaded to which address then. Then diassemble that file and locate the trackloader (usally very easy to spot, just look for code which searches for the SYNC marker ($4489)). You don't have to know how the trackloader is working, you only need to know which data it loads to which locations. Which can be easily figured out by checking the loader calls. Then you can use that info to disassemble all the other parts of the demo.

07 March 2018, 23:36	#3
a.nonyme Posts: n/a	I sticked the asm dump of the first track in a public gist here State of the art first adf tracks asm dump I can locate some code looking for the markers. For example Code: 000DC1C4 loc_DC1C4: ; CODE XREF: RAM:000DC1C8j 000DC1C4 cmpi.w #$4489,(a2)+ 000DC1C8 bne.s loc_DC1C4 000DC1CA cmpi.w #$4489,(a2) 000DC1CE bne.s loc_DC1D2 000DC1D0 addq.l #2,a2 But then I'm not sure where to go from there. A little guidance would be most welcome. My understanding so far is that it starts copying what's in between addresses 0xDC034 and 0xDC2B4 (relative to PC) to absolute address $100 and then jumps to $100, executing the copied code. Code: 000DC01E lea $DC034,a0 000DC022 lea $DC2B4,a1 000DC026 lea ($100).w,a2 000DC02A 000DC02A loc_DC02A: ; CODE XREF: RAM:000DC02Ej 000DC02A move.b (a0)+,(a2)+ 000DC02C cmpa.l a0,a1 000DC02E bne.s loc_DC02A 000DC030 jmp $100 Before doing that though I believe it calls a function: Code: 000DC00C bsr.w sub_DC2B4 000DC010 move.w #$7FFF,(word_DFF09A).l 000DC018 movea.l #$9A0,sp if I look at sub_DC2B4, it seems that the function is checking stuff, like what Amiga, memory extension or what not maybe ? Got no idea TBH. So now I need to understand the code which has been copied ... Will try to do loc_DC034, loc_DC03E & loc_DC070 when I got a chance but a few hints for the first blocks would me most welcome.

08 March 2018, 08:50	#4
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	sub_DC2B4 is a check for extra memory. As for the loader, think what it has to do: it needs at least 3 parameters: start offset, length, destination. Which in turn means you should look for code which passes 3 parameters to a sub-routine. If you have a closer look at $DC0A8 you might find something interesting... No offence but I doubt you'll be able to disassemble the demo with your current knowledge. The boot code really is very easy to understand and you already struggle to continue.

11 May 2018, 00:21	#7
a.nonyme Posts: n/a	Thks man ! Was going to have another look at it :-) Meanwhile I taught myself more 68k asm (I wrote a toy compiler with m68k backend supporting Amiga thanks to vasm. Check it out https://github.com/ssrb/tigerlang, it's a bit rubbish I think but it works ^^)

11 May 2018, 09:29	#8
jotd This cat is no more Join Date: Dec 2004 Location: FRANCE Age: 52 Posts: 8,160	to reverse engineer the demo you could use the source code from whdload install of the demo. No need to reverse engineer the trackloader of the demo... You need the functional parts. There will be more than 68000 asm here. There's a lot of custom chip tricks that a few people master.

16 May 2018, 04:46	#10
a.nonyme Posts: n/a	I set up github & travis with your ripper to start with. It's here https://github.com/ssrb/SOTA I ran the exec in UAE and archived SOTAXXX_YYY.bin files. Drobbox: https://www.dropbox.com/s/mge11i1a7fqpokv/SOTA.zip?dl=0 For the SOTA.dsk I used the adf: ie I renamed from "Spaceballs - State of the Art.adf" to SOTA.dsk. Not sure that's the file that was expected though ? Gonna track my progress on that repo I guess. Thks for your help.

16 May 2018, 11:13	#11
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	The files look OK to me. File name extensions are track_length. Check the comments in the RipFiles.s source, they describe what is what.

24 May 2018, 09:36	#13
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	21_1 contains very easy to follow code, just displays the 4 "state" "of" "the" "art" pictures, fades the colors and plays a sample. And finally displays the credits picture. Make sure you fully understand the code before continuing with anything else!

26 May 2018, 06:27	#15
a.nonyme Posts: n/a	How about the "James Bond Girls" before 0x52000/21_1 though ? The "State" "Of" "The" "Art" comes after the JBGs. Do you remember which section it is ?

27 May 2018, 05:03	#17
a.nonyme Posts: n/a	Thks for this information ! I found a C++ version of "PowerPacker" on github to compare with at https://github.com/ipr/PowerPacker-decrunch

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)