English Amiga Board


Go Back   English Amiga Board > Coders > Coders. Asm / Hardware

 
 
Thread Tools
Old 05 March 2015, 08:01   #1
SparkyNZ
Registered User
 
Join Date: Oct 2014
Location: New Zealand
Posts: 58
Question Disassembling - finding a game start address

How would I go about finding out where the start address is for a game - in general.

I'm using WinUAE so I can freeze the game (non-WB game) and start using the debugger. Is it possible to determine the start address of the code by continuously popping addresses off the stack?

The game is one of many cracked games.
SparkyNZ is offline  
Old 05 March 2015, 08:39   #2
phx
Natteravn

phx's Avatar
 
Join Date: Nov 2009
Location: Herford / Germany
Posts: 1,225
Quote:
Originally Posted by SparkyNZ View Post
I'm using WinUAE so I can freeze the game (non-WB game) and start using the debugger. Is it possible to determine the start address of the code by continuously popping addresses off the stack?
Usually not. You can only guess where the return addresses on the stack are. There can be any amount of data between them. Also the game may start over several direct or indirect jumps or exceptions (like TRAP, for switching into supervisor mode).

You will have to follow the old-school method of disassembling the boot-loader and find out where the main program is loaded and executed.
phx is offline  
Old 05 March 2015, 08:41   #3
Codetapper
2 contact me: email only!

Codetapper's Avatar
 
Join Date: May 2001
Location: Auckland / New Zealand
Posts: 3,150
It depends on the game. If it's an old single file crack, the jump address is very easy to extract out of the cruncher. Popping addresses off the stack will only return you to a routine that jumped or branched to a subroutine, so if the game had a jump earlier on then that won't be on the stack.

What game is it, and why exactly do you want the start address anyway?
Codetapper is offline  
Old 05 March 2015, 08:53   #4
SparkyNZ
Registered User
 
Join Date: Oct 2014
Location: New Zealand
Posts: 58
Quote:
Originally Posted by Codetapper View Post
What game is it, and why exactly do you want the start address anyway?
Its Mercenary, Escape from Targ (Second City also on the same disk). There are two "game files" on the disk which can be seen via CLI but they don't appear to be executable.

The reason I'd like the start address is to get a starting point to try and figure out how the game works. Do think there's a better way? The other thing I was thinking of doing was looking for obvious custom chip addresses in the code but ideally I'd like to know where the starting location is - assuming that the code isn't self-modifying.

Quote:
Originally Posted by phx View Post
You will have to follow the old-school method of disassembling the boot-loader and find out where the main program is loaded and executed.
Thanks. Whats the best way to follow the boot-loader? Do you have a favourite tool or book. I have a copy of ReSource - I think that can load the boot-loader content directly can't it? Or will I have to use a "Disk Editor" tool in conjunction with the RKM Devices manual? Devices manual.. hmm.. Isn't the boot-loader documented in the Hardware Ref Manual? I'm going to have to have to go and look aren't I.

Last edited by TCD; 05 March 2015 at 13:55. Reason: Back-to-back posts merged.
SparkyNZ is offline  
Old 05 March 2015, 09:39   #5
phx
Natteravn

phx's Avatar
 
Join Date: Nov 2009
Location: Herford / Germany
Posts: 1,225
On an NDOS disk you will usually start disassembling the boot block. This can be done with any disassembler you like. You don't need to reassemble it.

In the case of Mercenary we have a simple DOS disk, which will execute the file "c/Escape_From_Targ". Here it makes sense to reassemble this program, because the developers were so friendly to leave the symbols in.

First it loads Game1_Code into an allocated Chip memory region:
Code:
grasp_mem:
        MOVE.L  Block0_Size,D0          ;06e: 2039000000ec
        MOVE.L  #$00010002,D1           ;074: 223c00010002
        MOVEA.L ABSEXECBASE.W,A6        ;07a: 2c780004
        JSR     -198(A6)                ;07e: 4eaeff3a
        TST.L   D0                      ;082: 4a80
        BEQ.W   BOMB                    ;084: 6700000a
        MOVE.L  D0,Block0_Data          ;088: 23c0000000f0
        RTS                             ;08e: 4e75
BOMB:
        JMP     EXT_0000                ;090: 4ef900000000
load:
        MOVE.L  #Block0_Name,D1         ;096: 223c000000dc
        MOVE.L  #$000003ed,D2           ;09c: 243c000003ed
        MOVEA.L _DOSBase,A6             ;0a2: 2c790000005a
        JSR     -30(A6)                 ;0a8: 4eaeffe2
        MOVE.L  D0,File_handle          ;0ac: 23c0000000f4
        MOVE.L  Block0_Size,D3          ;0b2: 2639000000ec
        MOVE.L  Block0_Data,D2          ;0b8: 2439000000f0
        MOVE.L  D0,D1                   ;0be: 2200
        MOVEA.L _DOSBase,A6             ;0c0: 2c790000005a
        JSR     -42(A6)                 ;0c6: 4eaeffd6
        MOVE.L  File_handle,D1          ;0ca: 2239000000f4
        MOVEA.L _DOSBase,A6             ;0d0: 2c790000005a
        JSR     -36(A6)                 ;0d6: 4eaeffdc
        RTS                             ;0da: 4e75
Block0_Name:
        ;0dc
        ;DC.B   $44,$46,$30,$3a,$47,$61,$6d,$65,$31,$5f,$43,$6f,$64,$65,$00,$00
        DC.B    "DF0:Game1_Code",0,0
Block0_Size:
        DC.L    $0002a000               ;0ec
Block0_Data:
        DS.L    1                       ;0f0
File_handle:
        DS.L    1                       ;0f4
Then it switches to supervisor mode, installs a copper list and copies the game code $40000. The game is started at $401c0.

Code:
doit:
        MOVE.L  Block0_Data,D6          ;0f8: 2c39000000f0
        LEA     L_002(PC),A0            ;0fe: 41fa000a
        MOVE.L  A0,TRAP_01              ;102: 23c800000080
        TRAP    #0                      ;108: 4e40
L_002:
        MOVE    #$2700,SR               ;10a: 46fc2700
        LEA     doit2(PC),A0            ;10e: 41fa001a
        LEA     EXT_0004,A1             ;112: 43f900001000
        MOVE.L  #$00000800,D0           ;118: 203c00000800
doit1:
        MOVE.L  (A0)+,(A1)+             ;11e: 22d8
        DBF     D0,doit1                ;120: 51c8fffc
        JMP     EXT_0004                ;124: 4ef900001000
doit2:
        MOVEA.W #$6000,A7               ;12a: 3e7c6000
        LEA     Copper_List(PC),A0      ;12e: 41fa0082
        LEA     EXT_0003,A1             ;132: 43f900000544
        MOVE.W  #$0020,D0               ;138: 303c0020
L_003:
        MOVE.L  (A0)+,(A1)+             ;13c: 22d8
        DBF     D0,L_003                ;13e: 51c8fffc
        BSR.W   L_019                   ;142: 6100003a
        MOVE.L  #$0000a800,D0           ;146: 203c0000a800
        MOVEA.L D6,A0                   ;14c: 2046
        MOVEA.L #$00040000,A1           ;14e: 227c00040000
        CMPA.L  A0,A1                   ;154: b3c8
        BCS.W   copy_up                 ;156: 6500001a
        ADDA.L  #$0002a000,A0           ;15a: d1fc0002a000
        ADDA.L  #$0002a000,A1           ;160: d3fc0002a000
copy_down:
        MOVE.L  -(A0),-(A1)             ;166: 2320
        DBF     D0,copy_down            ;168: 51c8fffc
        JMP     EXT_0005                ;16c: 4ef9000401c0
copy_up:
        MOVE.L  (A0)+,(A1)+             ;172: 22d8
        DBF     D0,copy_up              ;174: 51c8fffc
        JMP     EXT_0005                ;178: 4ef9000401c0
phx is offline  
Old 05 March 2015, 10:11   #6
SparkyNZ
Registered User
 
Join Date: Oct 2014
Location: New Zealand
Posts: 58
Quote:
Originally Posted by phx View Post
Here it makes sense to reassemble this program, because the developers were so friendly to leave the symbols in.
Sorry, how do you means that the developers left the symbols in? Are you saying that there is a map file of sorts (or code section) which lists the library function call names etc?

Hey - thanks for doing this - I wish I was this good!!!
SparkyNZ is offline  
Old 05 March 2015, 10:21   #7
Galahad/FLT
Going nowhere

Galahad/FLT's Avatar
 
Join Date: Oct 2001
Location: United Kingdom
Age: 45
Posts: 7,070
Quote:
Originally Posted by SparkyNZ View Post
Sorry, how do you means that the developers left the symbols in? Are you saying that there is a map file of sorts (or code section) which lists the library function call names etc?

Hey - thanks for doing this - I wish I was this good!!!
Is it my version of Mercenary and Second City by any chance?
Galahad/FLT is offline  
Old 05 March 2015, 10:25   #8
SparkyNZ
Registered User
 
Join Date: Oct 2014
Location: New Zealand
Posts: 58
Quote:
Originally Posted by Galahad/FLT View Post
Is it my version of Mercenary and Second City by any chance?
Is this one yours? ..

Mercenary Compendium (1988)(Novagen)[cr BS1 - TKT].adf
SparkyNZ is offline  
Old 05 March 2015, 10:28   #9
Galahad/FLT
Going nowhere

Galahad/FLT's Avatar
 
Join Date: Oct 2001
Location: United Kingdom
Age: 45
Posts: 7,070
Quote:
Originally Posted by SparkyNZ View Post
Is this one yours? ..

Mercenary Compendium (1988)(Novagen)[cr BS1 - TKT].adf
Nope, thats Bamiga Sector 1 and The Kent Team

Would imagine they are single filed and easy to do. If you were lazy, you could probably use a util like DLD which is a depacker util, and if they used an absolute packer, on depacking the game files, it will give you the load address and start address for the file when it depacks.

If that doesn't work, actually loading up the file in a dissassembler you should be able to find the depack address quite easily.

On older releases, invariably the load address was the same as the address to activate the game.
Galahad/FLT is offline  
Old 05 March 2015, 10:43   #10
SparkyNZ
Registered User
 
Join Date: Oct 2014
Location: New Zealand
Posts: 58
Quote:
Originally Posted by Galahad/FLT View Post
Would imagine they are single filed and easy to do. If you were lazy, you could probably use a util like DLD which is a depacker
I'm pretty lazy.. but it is good to know what I'm doing. I'm quite busy with another project at the moment but I'm just tinkering and doing a bit of research before I start fiddling and nosing around the Mercenary games. Many years ago some kind person cracked Mercenary 3 for me - I bought it cheap when I had an A1200 and it wouldn't run on the AGA machine. That person cracked it in an hour or so and sent me a copy that worked on my A1200. So by the looks of things, Damocles and Mercenary 3 will be NDOS disks.. unless there are cracked copies out there which are normal DOS disks of course? Perhaps you cracked these too?

Call me nuts but I do have an interest in all of the Mercenary games.
SparkyNZ is offline  
Old 05 March 2015, 10:45   #11
phx
Natteravn

phx's Avatar
 
Join Date: Nov 2009
Location: Herford / Germany
Posts: 1,225
Quote:
Originally Posted by SparkyNZ View Post
Sorry, how do you means that the developers left the symbols in?
Most labels which you see in the reassembly are the labels from the original source text.

Quote:
Are you saying that there is a map file of sorts (or code section) which lists the library function call names etc?
The HUNK_CODE (code section contents) is accompanied by a HUNK_SYMBOL, which defines all those label names and offsets.
phx is offline  
Old 05 March 2015, 10:57   #12
SparkyNZ
Registered User
 
Join Date: Oct 2014
Location: New Zealand
Posts: 58
Quote:
Originally Posted by phx View Post
Most labels which you see in the reassembly are the labels from the original source text.

The HUNK_CODE (code section contents) is accompanied by a HUNK_SYMBOL, which defines all those label names and offsets.
Thats impressive. Similar to a .PDB file in a way I guess. I wonder if I'll be so lucky with Damocles and Mercenary 3..
SparkyNZ is offline  
Old 05 March 2015, 13:36   #13
Galahad/FLT
Going nowhere

Galahad/FLT's Avatar
 
Join Date: Oct 2001
Location: United Kingdom
Age: 45
Posts: 7,070
All of the Mercenary games were NonDOS custom format disks as a form of Copy protection.

However, with the exception of the titlepics, the games themselves were single load affairs, i.e. once the game started, all the data that was required by the game was already in memory and it didn't physically need to load from the disk again.

All of the Mercenary games were single filed back in the day, but invariably missing out the title screens.

Crystal cracked Damocles, and retained the title picture, but they used a custom fileloader which meant it couldn't be run from hard drive.

I cracked Mercenary Escape from Targ and Mercenary The Second City a few years ago as single files but with the titlepics retained.

My version is at: http://grandis.nu:81/eabsearch/searc...xclude=&limit=

Its the first in the listing.

Because of the size of the games and that they crunch down very well, it is inconceivable that they were not single filed no matter who cracked them.
Galahad/FLT is offline  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
Disassembling games to find out the game logic? Jonathan Drain Coders. General 14 20 November 2012 03:24
Blizzard PPC FastRAM start address phx Coders. General 2 12 February 2010 17:05
Need Help Finding A PC Game..... yugioh Looking for a game name ? 1 17 December 2008 10:07
command line to start a confil + start the game Unregistered New to Emulation or Amiga scene 4 17 October 2004 11:31
help finding this game Unregistered support.Games 3 16 July 2004 11:17

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 07:01.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.
Page generated in 0.07754 seconds with 15 queries