Posts

Final Countdown - Amiga - Disassembling space

This is the disassemble for the small code block in the space executable. I inserted a few comments to aid understanding and analysis, but what the code itself does is still TBD. ;; allocated at 0x00000000 _lbC000000: jmp (_lbC000036r).L _symb000002: ;; this label points to the jmp target EQU *-4 ;; and is changed later by code _lbL000006: dc.l $00018B20 _lbL00000A: dc.l $0000A124 ;; Subroutine start _lbC00000E: lsl.b #$1, d6 bne _lbC00001C move.b (a4)+, d6 ori.b #$10, CCR roxl.b #$1, d6 _lbC00001C: rts ;; --- Subroutine end ;; --- Subroutine start _lbC00001E: moveq #0, d0 _lbC000020: lsl.b #$1, d6 bne _lbC00002E move.b (a4)+, d6 ori.b #$10, CCR roxl.b #$1, d6 _lbC00002E: roxl.l #$1, d0 dbf d5, _lbC000020 rts ;; --- Subroutine end _lbC000036r: movem.l d0-d7/a0-a6, -(a7) move.l (_lbC00000A,PC), d7 movea.l #_lbL000264r, a
Post a Comment
Read more

Final Countdown - Amiga - Disassembling zob

  Last time we looked at the structure of the executables zob and space. Using a custom tool, we could see that zob is mostly a small (300 bytes) code block, while space has a small code block (612 bytes) and a larger data block (40kb) which is probably compressed code.  If we disassemble zob, this is what we see. I started to analyze some of it but didn't get far.  _lbC000000 movem.l d0-d7/a0-a6, -(a7) ;; save all registers at addr of A7 lea ($dff180).l, a6 ;; $dff180 is a memory register, COLOR00 lea (_lbL0000C6,pc), a0 ;; load PC+offset (given by label) into A0 lea ($120).l, a1 move.l (a0)+, d0 move.l (a0)+, d1 move.l (a0)+, d5 movea.l a1, a2 adda.l d0, a0 adda.l d1, a2 move.l -(a0), d0 eor d0, d5 _lbC000024 lsr.l #$1, d0 bne _lbC00002A bsr _lbC0000A0 _lbC00002A bcs _lbC00005E moveq #$8, d1 moveq #$1, d3 lsr.l #$1, d0 bne _lbC000036
Post a Comment
Read more

Final Countdown - Amiga - Opening the binaries

 In the last post , we looked at the contents of the disk images for Final Countdown. The next part should be taking a look at the executables and try to extract the code to analyze.  Quick recap: the first disk contains 3 executables: intro, zob and space. The first one is the cracker intro (this is the cracked version, after all). The startup sequence is running intro, then showing a text file, then running zob and space in sequence. We assume the intro binary only shows the intro and does nothing else to the system (this may be a wrong assumption, but it's simpler for now). So we have to analyze zob and space.  The format for AmigaOS binaries is called Hunk . I searched the internet looking for a tool that dumped this format, without success. It's likely that such a tool does exist, but I couldn't find one. So I decided to write a tool to dump Amiga Hunk binaries.  The format is specified in "The AmigaDOS Manual", Part 3 (AmigaDOS Technical Reference Manual), C
Post a Comment
Read more

Interleaved ROM layout in Shinobi

 There was something in the Shinobi ROM Layout (from the MAME sources) that I found intriguing. I'll repeat here just the layout for the 68000 code: ROM_REGION ( 0x40000 , "maincpu" , 0 ) // 68000 code ROM_LOAD16_BYTE ( "epr-12010.43" , 0x000000 , 0x10000 , CRC ( 7 df7f4a2 ) SHA1 ( 86 ac00a3a8ecc1a7fcb00533ea12a6cb6d59089b ) ) ROM_LOAD16_BYTE ( "epr-12008.26" , 0x000001 , 0x10000 , CRC ( f5ae64cd ) SHA1 ( 33 c9f25fcaff80b03d074d9d44d94976162411bf ) ) ROM_LOAD16_BYTE ( "epr-12011.42" , 0x020000 , 0x10000 , CRC ( 9 d46e707 ) SHA1 ( 37 ab25b3b37365c9f45837bfb6ec80652691dd4c ) ) // == epr-11283 ROM_LOAD16_BYTE ( "epr-12009.25" , 0x020001 , 0x10000 , CRC ( 7961 d07e ) SHA1 ( 38 cbdab35f901532c0ad99ad0083513abd2ff182 ) ) // == epr-11281 The first block of 64kb is put at offset 0, but the second 64kb block is set at offset 1. The same happens with the other two blocks, which are placed at offset
Post a Comment
Read more

Final Countdown - Amiga - Investigating the files

1. Intro Final Countdown is a relatively obscure Amiga game that is often compared with Impossible Mission (a game I don’t know), created by German developers Demonware. The entire game is a kind of big puzzle; the protagonist, Laira Tyrik, is a human scientist (wearing unusual clothes for a scientist) in the year 2437 that is transported to an “asteroid” to investigate. The asteroid is actually a spaceship coming to our solar system, and it seems unfriendly. Laira has to avoid obstacles that can kill her, and find information about how to disable the asteroid’s systems so it does not destroy Earth. She can try to access the computers that are available in many places in order to manipulate the ship systems and gather information. The game is hard to figure out, and there is no guide anywhere on the internet about how to finish it. After watching Eric from Cosmic Effect play the game and get stuck in it, I tried to play and got stuck the same way. So I decided to look in
1 comment
Read more

Reference on D88 disk image format

 To investigate what code gets executed when a disk is loaded in one of the Japanese computers, we can investigate the contents of the disk image. Disk images for many Japanese computers are often distributed in the D88 format. Luckily it is a simple format and there's a reference about it in English here: https://www.z88dk.org/tools/x1/XBrowser_User_Guide.pdf Look in Appendix II. It is a reference to a tool intended for Sharp X1 users, but the format is the same used in PC88 and other Japanese computer emulators and tools.  The information is organized by tracks and then by sectors, as in a real disk. File header The file begins with a header with the following fields: struct header { char[17] name; // image name, usually empty u8[9] reserved; // reserved, usually zero u8 write_protect; // non-zero value means write-protected disk u8 media_type; // 0: 2D, 0x10: 2DD, 0x20: 2HD, 0x30: 1D, 0x40: 1DD u32 disk_size; //
Post a Comment
Read more

PC88 I/O Map

 Found this map with the I/O ports on the PC88 to help with understanding disassembled code: PC-8801 I/Oマップ (dti.ne.jp)
Post a Comment
Read more