Disassembling games for fun - Page 4

crabfists · 22 July 2008, 16:10

@pmc

I'm no expert but I would say the easiest way to do it is to decrunch the file first then disassemble the decrunched executable. I think various standalone unpackers exist out there so its just a matter of finding out which one it was packed with. Is there any magic bytes in the header which can be used to identify the crunch format?

hitchhikr · 22 July 2008, 16:14

use this: http://aminet.net/package/util/pack/xfdmaster
the xfddecrunch command is your friend.

StingRay · 22 July 2008, 16:30

Quote:

Originally Posted by hitchhikr

use this: http://aminet.net/package/util/pack/xfdmaster
the xfddecrunch command is your friend.

This is true in most cases, however if the demo/game is packed with a custom cruncher that's not (yet) supported by XFD you'll have to manually decrunch the file. I.e. Resource the crunched file, find out where the jmp into the decrunched code is, disable it, decrunch into a temporary buffer, save that buffer, done.

That was the "ultra short but should be enough to get you going" description.

pmc · 23 July 2008, 09:27

@hitchhikr: Thanks for that link - tried xfdDecrunch on a crunched demo I had and bosh - now it's an uncrunched demo.

@StingRay: ahhh, so by disabling the jmp, the custom decrunch header decrunches the crunched code but then doesn't branch into it leaving me free to disassemble what's been uncrunched. Clever. You are a wily character.

heavy · 23 July 2008, 12:02

about decruncher, that works fine with simple absolute address cruncher : you can see at the start of the decruncher code for example :
lea $40000,a0
lea $70000,a1
bsr $xxxx ; decrunch
...
jmp $40000 ; <- put rts here

but you can find decruncher using relative address with memory allocation (using hunks). you can't find any jmp or lea $xxxxx.
that kind of decruncher could start with

movem.l d0-d7/a0-a6,-(a7)
...
go to the end of decruncher routine :
movem.l (a7)+,d0-d7/a0-a6
rts

no jsr or jmp. so what ? above the movem.l (a7)+, you can see a thing like that :

jsr (a4)
move.l a1,$3C(a7)
movem.l d0-d7/a0-a6
rts

in this case, start address is in a1, and pushed at the end of the stack. then, when rts, he jump to the start address.
several ways to get the start address : with some debugger, you can have the hunk structure of exe. in this case, you can see the hunks of the program :
- load address
- decrunch and start address
- buffer allocation address

the good way is to put a breakpoint at the line "move.l a1,$3c(a7)" or "movem.l (a7)+,d0-d7/a0-a6" and start in breakpoint mode. (j)
program decrunch, and break before the a1 in stack. take a look at the registers and you have the start adress. also take a look to the new allocated hunks if you want to have the full datas...

sometimes, the decruncher start with
pea xxxxxx
go to address pointed by pea : it's the end of the program.
put a breakpoint at : "movem.l (a7)+,d0..." and take a look to the registers. address is in A4 the most of the time.

another cruncher can start in Trace mode (you can't use breakpoint), etc...

StingRay · 23 July 2008, 12:05

I wouldn't really start to hack relocatable crunched files as that's not too easy. Try with absolute address decrunchers first.

hitchhikr · 23 July 2008, 12:20

Beside most relocatable crunchers are handled by xfddecrunch

StingRay · 23 July 2008, 12:23

Indeed.

29 October 2008, 10:52

Quote:

Originally Posted by RedskullDC

Hi Pyro,

Will upload again when I get home from work in a few hours.

In the meantime, just uploaded 68000 programmers reference card.

Enjoy,
Red

Can someone please upload the ReSource 6 manual along witht eh 68k Programmers Reference card to the Zone again please.

RedskullDC is not able to at the moment, so if someone else could do it for me it would be greatly appreciated.

Thanks

Keeks

StingRay · 29 October 2008, 11:20

I've uploaded the ReSource manual to my webspace, you can find it here. I don't have the 68k Programmers Reference card though.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Disassembling games to find out the game logic?	Jonathan Drain	Coders. General	14	20 November 2012 02:24
Disassembling resource	copse	Coders. General	1	02 April 2012 03:36
Amiga Games that were most fun	amiga_user	Retrogaming General Discussion	22	27 September 2011 18:51
Fun and games with the 68000!	h0ffman	Coders. General	4	28 February 2011 16:54
Idea: Fun & Games page	Jim	project.APoV	11	14 July 2004 17:49

22 July 2008, 16:10	#61
crabfists Registered User Join Date: Feb 2008 Location: warrington UK Posts: 118	@pmc I'm no expert but I would say the easiest way to do it is to decrunch the file first then disassemble the decrunched executable. I think various standalone unpackers exist out there so its just a matter of finding out which one it was packed with. Is there any magic bytes in the header which can be used to identify the crunch format?

22 July 2008, 16:14	#62
hitchhikr Registered User Join Date: Jun 2008 Location: somewhere else Posts: 524	use this: http://aminet.net/package/util/pack/xfdmaster the xfddecrunch command is your friend.

23 July 2008, 09:27	#64
pmc gone Join Date: Apr 2007 Location: completely gone Posts: 1,596	@hitchhikr: Thanks for that link - tried xfdDecrunch on a crunched demo I had and bosh - now it's an uncrunched demo. @StingRay: ahhh, so by disabling the jmp, the custom decrunch header decrunches the crunched code but then doesn't branch into it leaving me free to disassemble what's been uncrunched. Clever. You are a wily character.

23 July 2008, 12:02	#65
heavy noodle Join Date: Jun 2007 Location: europe Posts: 247	about decruncher, that works fine with simple absolute address cruncher : you can see at the start of the decruncher code for example : lea $40000,a0 lea $70000,a1 bsr $xxxx ; decrunch ... jmp $40000 ; <- put rts here but you can find decruncher using relative address with memory allocation (using hunks). you can't find any jmp or lea $xxxxx. that kind of decruncher could start with movem.l d0-d7/a0-a6,-(a7) ... go to the end of decruncher routine : movem.l (a7)+,d0-d7/a0-a6 rts no jsr or jmp. so what ? above the movem.l (a7)+, you can see a thing like that : jsr (a4) move.l a1,$3C(a7) movem.l d0-d7/a0-a6 rts in this case, start address is in a1, and pushed at the end of the stack. then, when rts, he jump to the start address. several ways to get the start address : with some debugger, you can have the hunk structure of exe. in this case, you can see the hunks of the program : - load address - decrunch and start address - buffer allocation address the good way is to put a breakpoint at the line "move.l a1,$3c(a7)" or "movem.l (a7)+,d0-d7/a0-a6" and start in breakpoint mode. (j) program decrunch, and break before the a1 in stack. take a look at the registers and you have the start adress. also take a look to the new allocated hunks if you want to have the full datas... sometimes, the decruncher start with pea xxxxxx go to address pointed by pea : it's the end of the program. put a breakpoint at : "movem.l (a7)+,d0..." and take a look to the registers. address is in A4 the most of the time. another cruncher can start in Trace mode (you can't use breakpoint), etc...

23 July 2008, 12:05	#66
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	I wouldn't really start to hack relocatable crunched files as that's not too easy. Try with absolute address decrunchers first.

23 July 2008, 12:20	#67
hitchhikr Registered User Join Date: Jun 2008 Location: somewhere else Posts: 524	Beside most relocatable crunchers are handled by xfddecrunch

23 July 2008, 12:23	#68
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	Indeed.

29 October 2008, 11:20	#70
StingRay move.l #$c0ff33,throat Join Date: Dec 2005 Location: Berlin/Joymoney Posts: 6,863	I've uploaded the ReSource manual to my webspace, you can find it here. I don't have the 68k Programmers Reference card though.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)