Disassembling games for fun

[crabfists]

Thanks for the replies. The game I am disassembling is ruff'n'tumble. I have downloaded the source for the slave and have commented bits as I think I figure out what is going on. The comments starting with ;; are mine.(sorry, the comment alignment got a bit messed up)

I haven't posted the whole of the source but just the bit that loads the first file, patches it, then jumps to the patched code - as that is the bit I am stuck on. I have figured out that the jmp to BASE_ADDRESS+$E6 is jumping into the code that has just been patched. I'm not really sure what the code is but like I said I think its rob northen code as I have spotted trace vector decoder setup code and code which looks encrypted. This code does a load of stuff I don't really understand (like relocating most of itself to location $50000 then jumping to $50000).

I have put a breakpoint when it comes across the patched trap #$f instruction and at this point the address of patch_loader_1 is in location $bc, which apparently is the address of the handler for trap $f. Like I said before stepping over the trap instruction doesn't take me to the address of patch_loader_1 as I expected but to another routine.

I guess what I really would like to know is how can I know which code is rob northen code and which is ruff'n'tumble game code? Is there an easy way to know? It's quite interesting learning about copy protection but I would really like to get my hands on the real meat of the game code. Am I asking too much?

Code:

lea    _resload(pc),a1
        move.l    a0,(a1)            ;save for later use

        move.l    a0,a2
        lea    (_tag,pc),a0
        jsr    (resload_Control,a2)

        lea    $7FF00,a7

        lea    two_button_control(pc),a0
        move.l    _custom1(pc),(a0)

        ; load & version check

        lea    BASE_ADDRESS,A0        ;; load to $10000
        move.l    #$3000,D0        ; offset $3000 from disk
        move.l    #$1600,D1        ;; length $1600 bytes
        moveq    #1,D2            ;; load from disk 1
        bsr    _loaddisk            ;; load file.1 from the disk
        lea    BASE_ADDRESS,A0
        move.l    #$1600,d0
        jsr    resload_CRC16(a2)    ;; do checksum on all $1600 bytes

        cmp.l    #$33CE,d0        ;; compare checksum
        beq.b    .cont            ;; goto .cont if was ok

        pea    TDREASON_WRONGVER        ;;quit if wrong checksum
        move.l    _resload(pc),-(a7)
        addq.l    #resload_Abort,(a7)
        rts
.cont
        lea    pl_boot(pc),a0            ;; put patch list addr in a0
        lea    BASE_ADDRESS,A1            ;; file.1 exe base address to patch
        jsr    resload_Patch(a2)        ;; patch the exe with the patch list located at pl_boot
        
        ;; setup some user defined vector. how does this get called?
        lea    $100,a0                    ;; addr of user defined vector #0
        ;; don't know what this does
        move.l    #$80000,(a0)+        ; expsize
        move.l    extbase(pc),(a0)+    ; expbase
        move.l    #$80000,(a0)+        ; expsize

        pea    patch_loader_1(pc)        ;; push patch_loader_1 onto stack
        move.l    (a7)+,$BC.W            ;; set as trap exception vector for trap #$f

        ;; setup registers/flags before jumping to file.1 exe?
        sub.l    a6,a6                ;; set a6 to 0
        moveq.l    #0,d4        
        moveq.l    #0,d5
        jmp    BASE_ADDRESS+$E6        ;; jump into file.1 exe. 
                                    ;; this jumps to just before the code where it does the jump to $50000
                                    ;;how does it return?
pl_boot
    PL_START                    ;; patch list start

    ; Rob read

    PL_P    $170,read_sectors    ;; patch jump

    ; Copy protection

    PL_L    $774,$21FCBED7        ;; patch long
    PL_L    $778,$B57D0110        ;; patch long
    PL_R    $77C                ;; set rts

    ; Trap the loader

    PL_W    $16C,$4E4F            ;; patch word. set to trap #$f. trap #$f will call patch_loader_1?
    PL_END                        ;; patch list end

patch_loader_1                    ;; the address of this is in address $bc. trap exception vector #$f
    movem.l    d0-d1/a0-a2,-(a7)
    lea    pl_loader(pc),a0
    move.l    two_button_control(pc),d0
    beq    .not
    lea    pl_loader_2nd_button(pc),a0
.not
    sub.l    a1,a1
    move.l    _resload(pc),a2
    jsr    resload_Patch(a2)
    movem.l    (a7)+,d0-d1/a0-a2
    jmp    $804.W                 ;; where is this jumping to?

[Asman]

Hi crabfists

Quote:

Also, I don't quite understand what the rnc code is doing (and I don't know if I need to to work it out to get to the game's code).

Because I never patched games with rnc code ( long time ago I tried to patch ATR demo), so my knowledge about that isn't large. Rnc code simply load data from disk ( kind of trackloader ), that's all what I know and I think that is enough for me ( how its done is other problem ).

Quote:

The WHDLoad slave loads the rnc code to location $10000 but then the rnc code copies most of itself into location $50000 and jumps to there. Later on, when on the game title screen, if I look at location $10000 the rnc code does not exist any more. Why does it relocate itself like this?
Why doesn't it just load itself directly to location $50000 in the first place?

I think that Whdload slave try to emulate some situation. When you put disk into df0: then bootsector is loaded. Now is the question, where is loadad, which address od memory. The answer is simple: somewhere in lower address. Relocation to known address is kind of protection. You know address you are safe. Now you can load data, call some code and always you know where is trackloader address. Relocation is used very often in ndos games. Of course this isn't true relocation its copy routine( true relocation its used in FlyingShark ). This relocation trick is used very often in ndos games. Now you know why Whdload slave choose location $10000. Of course is possible to load rnc code into $50000 and remove copy code. But remember some games can check that relocated code ( another type of protection ).

As always any comments are welcome.

Regards

[Pyromania]

Could someone zone the Resource 6 manual again please?

[RedskullDC]

Hi Pyro,

Quote:

Originally Posted by Pyromania

Could someone zone the Resource 6 manual again please?

Will upload again when I get home from work in a few hours.

In the meantime, just uploaded 68000 programmers reference card.

Enjoy,
Red

[zenox98]

Cheers RedskullDC. That's one fine crib sheet

[RedskullDC]

Hi Zenox98,

Quote:

Originally Posted by zenox98

Cheers RedskullDC. That's one fine crib sheet

Glad you like it. Also uploaded 6502 and Z80 versions in case you are interested.
Sure there are more than a few C64/C128 lurkers here who would also like 'em.

Resource manual is also in the zone as you requested: Pyromania
(Really must get around to OCR'ing it)

Enjoy,
Red

[BippyM]

RedskullDC do you have any other 680x0 reference material/manuals/examples/source etc you'd be willing to share with us?

[RedskullDC]

Hi Bippym,

Quote:

Originally Posted by bippym

RedskullDC do you have any other 680x0 reference material/manuals/examples/source etc you'd be willing to share with us?

Sure, plenty of other stuff which isn't on Aminet.

Is there somewhere in particular I should post to indicate I have uploaded stuff? (somewhere in coder's heaven perhaps?)

Cheers,
Red

[BippyM]

YOu can either put it in the zone, or email it to me myname at gmail.com and i'll put it on my webspace

[RedskullDC]

Hi again bippym,

Quote:

Originally Posted by bippym

YOu can either put it in the zone, or email it to me myname at gmail.com and i'll put it on my webspace

There you go, some source code (devpac3 format) to get the ball rolling.

I have a couple of 68k manuals which are half-OCR'ed.
Will upload when done.

I'm always keen to look at other's source code, you never stop learning new tricks

Cheers,
Red

[heavy]

I made a little "how to" crack Ruff'n Tumble on Flashtro (and some others). This is a simple rnc (encrypted routine started in trace mode but no resourcing here )
Very...interesting to resource a whole game ! I've done LionHeart main prog (for the remake) a little bit commented... but hard. try with some intros/megademos first
(hmm...windows remake of R'nT is almost finished)

[crabfists]

Oooh, thanks. That will be useful. I will take a look later.

I've noticed there is a ruff n tumble remake in progress but that doesnt bother me too much. If I get anywhere with this project (and I am not promising I will) it will be open source and cross platform so it would differ from the remake in that it could potentially be ported to the DS for example. Have you got anything to do with the windows remake? It's written in blitz basic isnt it?

[heavy]

Quote:

Have you got anything to do with the windows remake?

no, nothing

great if the project is opensource and cross platform. DS or PSP version will be good (like Flashback "Reminiscence" project)

[hitchhikr]

For game using absolute addresses (like most trackloaded ones) i suggest you to use IDA (preferably a 5.xx version at least) otherwise use resource.

In every case it's a huge & cumbersome job to disassemble a complete game to finally obtain a source code good enough to be re-assembled into a working executable (even smaller games).

[StingRay]

Quote:

Originally Posted by hitchhikr

For game using absolute addresses (like most trackloaded ones) i suggest you to use IDA (preferably a 5.xx version at least) otherwise use resource.

Which advantage does IDA Pro have in that case? Just curious. It's perfectly possible to disassemble code that's using absolute addresses with ReSource so I'd like to know how much better IDA Pro performs that task.

[hitchhikr]

It's less tedious, you can specify the loading address and it's faster than resource, also the analysis seem to be better (or at least IDA fixes all the labels that are within the range of the loaded file addresses without any user intervention),
one drawback of IDA is that it doesn't seem to understand word absolute addresses (a0,$100.w for example but resource doesn't handle that either i think) so it can shift addresses in the source code.

Once the game has been disassembled it's important to be able to recreate the exact same binary/executable file as the original to begin with.
I use vasm/vlink for the re-assembling job.

[StingRay]

You can specify the loading address with ReSource too (essential if you want to disassemble absolute code anyway). But yes, there's a lot of needlework required to obtain a good disassembly using ReSource, disassembling absolute address code is nothing for beginners anyway IMHO. (and neither is disassembling a complete game) ReSource understands the short absolute addresses if you enable "New Syntax" in the options, otherwise it doesn't which is a bug in my opinion.

[hitchhikr]

Well, disassembling with IDA is a very long task too.

I found that it helps a lot to play and perfectly know the game one wants to disassemble , especially when trying to recognize the different parts of the program and it's logic.

Btw, i checked and IDA understands absolute word addresses correctly, i remember there's a bug in the 68k disassembling but i can't remember where, may in the pc relative addressing mode handling.

[pmc]

Not necessarily related to disassembling games this question but still about dissassembling -

If I load a crunched file into a disassembler I assume that what I see a disassembly of is the decrunch header added by the cruncher that originally crunched the file. Is that the case?

If so, what's the best way to get a disassembly of the actual file in its uncrunched state?

I assume that I'd either have to uncrunch the file back to it's original form first (which means I'd have to know what it was crunched with in the first place...?) or load it so that it decrunches and then disassemble it in memory. Would option two even be possible if the program that loaded into memory (for example a demo) killed off the system meaning I then couldn't use ReSource at the same time?

Anyone got any hints for a novice disassembler?

[Angus]

Quote:

Originally Posted by mark_k

I have done that for Emerald Mine (pretty much complete disassembly with comments, meaningful label names etc.). Quite interesting, and found a few bugs. Also did it to a lesser degree with Carrier Command, but that's a much larger program.

Mark_k, Carrier Command, is one of my favourite games ever, my only criticism of it would be that, it needs a bit of tweaking to make it more challenging in the later stages. I'm not suggesting that is something you would want to do necessarily, but did you get to the stage where any tweaking was possible?