24 May 2008, 21:37 | #41 |
Registered User
Join Date: Feb 2008
Location: warrington UK
Posts: 118
|
Thanks for the replies. The game I am disassembling is ruff'n'tumble. I have downloaded the source for the slave and have commented bits as I think I figure out what is going on. The comments starting with ;; are mine.(sorry, the comment alignment got a bit messed up)
I haven't posted the whole of the source but just the bit that loads the first file, patches it, then jumps to the patched code - as that is the bit I am stuck on. I have figured out that the jmp to BASE_ADDRESS+$E6 is jumping into the code that has just been patched. I'm not really sure what the code is but like I said I think its rob northen code as I have spotted trace vector decoder setup code and code which looks encrypted. This code does a load of stuff I don't really understand (like relocating most of itself to location $50000 then jumping to $50000). I have put a breakpoint when it comes across the patched trap #$f instruction and at this point the address of patch_loader_1 is in location $bc, which apparently is the address of the handler for trap $f. Like I said before stepping over the trap instruction doesn't take me to the address of patch_loader_1 as I expected but to another routine. I guess what I really would like to know is how can I know which code is rob northen code and which is ruff'n'tumble game code? Is there an easy way to know? It's quite interesting learning about copy protection but I would really like to get my hands on the real meat of the game code. Am I asking too much? Code:
lea _resload(pc),a1 move.l a0,(a1) ;save for later use move.l a0,a2 lea (_tag,pc),a0 jsr (resload_Control,a2) lea $7FF00,a7 lea two_button_control(pc),a0 move.l _custom1(pc),(a0) ; load & version check lea BASE_ADDRESS,A0 ;; load to $10000 move.l #$3000,D0 ; offset $3000 from disk move.l #$1600,D1 ;; length $1600 bytes moveq #1,D2 ;; load from disk 1 bsr _loaddisk ;; load file.1 from the disk lea BASE_ADDRESS,A0 move.l #$1600,d0 jsr resload_CRC16(a2) ;; do checksum on all $1600 bytes cmp.l #$33CE,d0 ;; compare checksum beq.b .cont ;; goto .cont if was ok pea TDREASON_WRONGVER ;;quit if wrong checksum move.l _resload(pc),-(a7) addq.l #resload_Abort,(a7) rts .cont lea pl_boot(pc),a0 ;; put patch list addr in a0 lea BASE_ADDRESS,A1 ;; file.1 exe base address to patch jsr resload_Patch(a2) ;; patch the exe with the patch list located at pl_boot ;; setup some user defined vector. how does this get called? lea $100,a0 ;; addr of user defined vector #0 ;; don't know what this does move.l #$80000,(a0)+ ; expsize move.l extbase(pc),(a0)+ ; expbase move.l #$80000,(a0)+ ; expsize pea patch_loader_1(pc) ;; push patch_loader_1 onto stack move.l (a7)+,$BC.W ;; set as trap exception vector for trap #$f ;; setup registers/flags before jumping to file.1 exe? sub.l a6,a6 ;; set a6 to 0 moveq.l #0,d4 moveq.l #0,d5 jmp BASE_ADDRESS+$E6 ;; jump into file.1 exe. ;; this jumps to just before the code where it does the jump to $50000 ;;how does it return? pl_boot PL_START ;; patch list start ; Rob read PL_P $170,read_sectors ;; patch jump ; Copy protection PL_L $774,$21FCBED7 ;; patch long PL_L $778,$B57D0110 ;; patch long PL_R $77C ;; set rts ; Trap the loader PL_W $16C,$4E4F ;; patch word. set to trap #$f. trap #$f will call patch_loader_1? PL_END ;; patch list end patch_loader_1 ;; the address of this is in address $bc. trap exception vector #$f movem.l d0-d1/a0-a2,-(a7) lea pl_loader(pc),a0 move.l two_button_control(pc),d0 beq .not lea pl_loader_2nd_button(pc),a0 .not sub.l a1,a1 move.l _resload(pc),a2 jsr resload_Patch(a2) movem.l (a7)+,d0-d1/a0-a2 jmp $804.W ;; where is this jumping to? |
25 May 2008, 19:25 | #42 | ||
68k
Join Date: Sep 2005
Location: Somewhere
Posts: 829
|
Hi crabfists
Quote:
Quote:
As always any comments are welcome. Regards |
||
03 June 2008, 04:42 | #43 |
Moderator
Join Date: Jan 2002
Location: Chicago, IL
Posts: 3,390
|
Could someone zone the Resource 6 manual again please?
|
03 June 2008, 10:21 | #44 |
Digital Corruption
Join Date: Jan 2007
Location: Dorrigo/Australia
Age: 60
Posts: 355
|
|
03 June 2008, 11:45 | #45 |
Joy Division
Join Date: Nov 2006
Location: East Yorkshire
Age: 60
Posts: 243
|
Cheers RedskullDC. That's one fine crib sheet
|
03 June 2008, 15:54 | #46 |
Digital Corruption
Join Date: Jan 2007
Location: Dorrigo/Australia
Age: 60
Posts: 355
|
Hi Zenox98,
Glad you like it. Also uploaded 6502 and Z80 versions in case you are interested. Sure there are more than a few C64/C128 lurkers here who would also like 'em. Resource manual is also in the zone as you requested: Pyromania (Really must get around to OCR'ing it) Enjoy, Red |
03 June 2008, 15:56 | #47 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
RedskullDC do you have any other 680x0 reference material/manuals/examples/source etc you'd be willing to share with us?
|
03 June 2008, 16:01 | #48 | |
Digital Corruption
Join Date: Jan 2007
Location: Dorrigo/Australia
Age: 60
Posts: 355
|
Hi Bippym,
Quote:
Is there somewhere in particular I should post to indicate I have uploaded stuff? (somewhere in coder's heaven perhaps?) Cheers, Red |
|
03 June 2008, 16:03 | #49 |
Global Moderator
Join Date: Nov 2001
Location: Derby, UK
Age: 48
Posts: 9,355
|
YOu can either put it in the zone, or email it to me myname at gmail.com and i'll put it on my webspace
|
03 June 2008, 16:15 | #50 | |
Digital Corruption
Join Date: Jan 2007
Location: Dorrigo/Australia
Age: 60
Posts: 355
|
Hi again bippym,
Quote:
I have a couple of 68k manuals which are half-OCR'ed. Will upload when done. I'm always keen to look at other's source code, you never stop learning new tricks Cheers, Red |
|
13 June 2008, 17:16 | #51 |
noodle
Join Date: Jun 2007
Location: europe
Posts: 247
|
I made a little "how to" crack Ruff'n Tumble on Flashtro (and some others). This is a simple rnc (encrypted routine started in trace mode but no resourcing here )
Very...interesting to resource a whole game ! I've done LionHeart main prog (for the remake) a little bit commented... but hard. try with some intros/megademos first (hmm...windows remake of R'nT is almost finished) Last edited by heavy; 13 June 2008 at 17:30. |
13 June 2008, 18:37 | #52 |
Registered User
Join Date: Feb 2008
Location: warrington UK
Posts: 118
|
Oooh, thanks. That will be useful. I will take a look later.
I've noticed there is a ruff n tumble remake in progress but that doesnt bother me too much. If I get anywhere with this project (and I am not promising I will) it will be open source and cross platform so it would differ from the remake in that it could potentially be ported to the DS for example. Have you got anything to do with the windows remake? It's written in blitz basic isnt it? |
13 June 2008, 18:45 | #53 | |
noodle
Join Date: Jun 2007
Location: europe
Posts: 247
|
Quote:
great if the project is opensource and cross platform. DS or PSP version will be good (like Flashback "Reminiscence" project) |
|
09 July 2008, 16:31 | #54 |
Registered User
Join Date: Jun 2008
Location: somewhere else
Posts: 524
|
For game using absolute addresses (like most trackloaded ones) i suggest you to use IDA (preferably a 5.xx version at least) otherwise use resource.
In every case it's a huge & cumbersome job to disassemble a complete game to finally obtain a source code good enough to be re-assembled into a working executable (even smaller games). |
09 July 2008, 16:39 | #55 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
Which advantage does IDA Pro have in that case? Just curious. It's perfectly possible to disassemble code that's using absolute addresses with ReSource so I'd like to know how much better IDA Pro performs that task.
|
09 July 2008, 16:47 | #56 |
Registered User
Join Date: Jun 2008
Location: somewhere else
Posts: 524
|
It's less tedious, you can specify the loading address and it's faster than resource, also the analysis seem to be better (or at least IDA fixes all the labels that are within the range of the loaded file addresses without any user intervention),
one drawback of IDA is that it doesn't seem to understand word absolute addresses (a0,$100.w for example but resource doesn't handle that either i think) so it can shift addresses in the source code. Once the game has been disassembled it's important to be able to recreate the exact same binary/executable file as the original to begin with. I use vasm/vlink for the re-assembling job. |
09 July 2008, 16:54 | #57 |
move.l #$c0ff33,throat
Join Date: Dec 2005
Location: Berlin/Joymoney
Posts: 6,863
|
You can specify the loading address with ReSource too (essential if you want to disassemble absolute code anyway). But yes, there's a lot of needlework required to obtain a good disassembly using ReSource, disassembling absolute address code is nothing for beginners anyway IMHO. (and neither is disassembling a complete game) ReSource understands the short absolute addresses if you enable "New Syntax" in the options, otherwise it doesn't which is a bug in my opinion.
Last edited by StingRay; 09 July 2008 at 17:04. Reason: typo fixed |
09 July 2008, 18:15 | #58 |
Registered User
Join Date: Jun 2008
Location: somewhere else
Posts: 524
|
Well, disassembling with IDA is a very long task too.
I found that it helps a lot to play and perfectly know the game one wants to disassemble , especially when trying to recognize the different parts of the program and it's logic. Btw, i checked and IDA understands absolute word addresses correctly, i remember there's a bug in the 68k disassembling but i can't remember where, may in the pc relative addressing mode handling. |
22 July 2008, 15:59 | #59 |
gone
Join Date: Apr 2007
Location: completely gone
Posts: 1,596
|
Not necessarily related to disassembling games this question but still about dissassembling -
If I load a crunched file into a disassembler I assume that what I see a disassembly of is the decrunch header added by the cruncher that originally crunched the file. Is that the case? If so, what's the best way to get a disassembly of the actual file in its uncrunched state? I assume that I'd either have to uncrunch the file back to it's original form first (which means I'd have to know what it was crunched with in the first place...?) or load it so that it decrunches and then disassemble it in memory. Would option two even be possible if the program that loaded into memory (for example a demo) killed off the system meaning I then couldn't use ReSource at the same time? Anyone got any hints for a novice disassembler? |
22 July 2008, 16:08 | #60 | |
Amiga Games Database
Join Date: Jun 2006
Location: South West England
Posts: 1,281
|
Quote:
Mark_k, Carrier Command, is one of my favourite games ever, my only criticism of it would be that, it needs a bit of tweaking to make it more challenging in the later stages. I'm not suggesting that is something you would want to do necessarily, but did you get to the stage where any tweaking was possible? |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Disassembling games to find out the game logic? | Jonathan Drain | Coders. General | 14 | 20 November 2012 02:24 |
Disassembling resource | copse | Coders. General | 1 | 02 April 2012 03:36 |
Amiga Games that were most fun | amiga_user | Retrogaming General Discussion | 22 | 27 September 2011 18:51 |
Fun and games with the 68000! | h0ffman | Coders. General | 4 | 28 February 2011 16:54 |
Idea: Fun & Games page | Jim | project.APoV | 11 | 14 July 2004 17:49 |
|
|