Author Topic: load.exe compression (first level)  (Read 8282 times)

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
load.exe compression (first level)
« on: January 10, 2009, 11:48:24 PM »
(this is my first "try" of getting into reverse engeneering the game)

i just found out that load.exe is exepacker based
and can be easily uncompressed with UNP (in zip-archive \unp412b)

and i reduced the normal stunts11 package to the minimal amount of files
(data and "executables") needed to run the game (without the anti-password-crack, setup stuff)
so its easier to use an debugger or disassembler (http://www.hex-rays.com/idapro/idadownfreeware.htm) on it
and the dosbox debugger could also help: http://vogons.zetafleet.com/viewtopic.php?t=3944

in the load.asm file is an first-shot-listing from ida freeware

just use start.bat to start the game - happy opcode extracting

dstien

  • Stunts Master
  • *
  • Posts: 161
    • View Profile
    • Stunts Tools
Re: load.exe compression (first level)
« Reply #1 on: January 11, 2009, 12:34:00 AM »
Hi llm, welcome to the forums! It's always nice to see new faces around here.

About a year ago I began doing the same thing, reversed the decompression format and wrote my own implementation. With this tool we can decompress the actual code files. It would be awesome to reverse the physics code, then we could add modern 3d rendering, make automated replay analysis, etc.</daydream>

The next logical step would probably be to build a new EXE file from the CMN/DIF/COD/DRV files to ease the reversing process by skipping LOAD.EXE.

We have documented some of the data formats on the Stunts Wiki. See also the reversing discussion thread (contains lots of inaccuracies as well).

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #2 on: January 11, 2009, 10:31:19 AM »
does your uncompress tool also work for the load.exe
and the other "executables" or just for the data files?

cas (http://forum.stunts.hu/index.php?topic=1663.msg22912#msg22912) had the
idea that the .cod and other files are also compressed (maybe with the same algorithm)

do you got an pre-disassembled version of the load.exe (like in my 7z-file)
or additional information(ideas) about the process of combining
the .dif/.hdr files in memory + run?

and i need a good 16-bit debugger - is the dosbox debugger ok for that
(i want to trace all the int 21h "calls")

bye
« Last Edit: January 11, 2009, 10:36:59 AM by llm »

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #3 on: January 11, 2009, 02:03:27 PM »
dosbox is great for tracing
but there are still missing logs for file-read/write/close... etc. in dos_files.cpp

that is the interesting part of the dosbox 0.72 debugger log

.....
    292274: EXEC:Parsing command line: load /u MCGA /ssb
    292277: EXEC:Execute load.EXE 0
    292277: FILES:file open command 0 file load.EXE
    295175: FILES:file open command 0 file setup.dat --> NOT NEEDED
    297261: FILES:file open command 0 file LOAD.EXE
    297736: FILES:file open command 0 file LOAD.EXE
    299442: FILES:file open command 0 file LOAD.EXE
    303022: FILES:file open command 0 file LOAD.EXE
    324105: FILES:file open command 0 file setup.dat --> NOT NEEDED
    325611: FILES:file open command 0 file MCGA.hdr
    326087: FILES:file open command 0 file MCGA.hdr
    331822: FILES:file open command 0 file ega.cmn
   4710849: FILES:file open command 0 file ega.cmn
   9089067: FILES:file open command 0 file mcga.dif
  10375116: FILES:file open command 0 file mcga.cod
  12136719: PIC:0 mask FB
  12136737: PIC:0 mask F8
  12137701: INT10:Set Video Mode 13
  12137701: VGA:Blinking 0
  12137774: PIC:0 mask FB
  12137791: PIC:0 mask F8
  12137796: PIT:PIT 0 Timer set without new control word
  12137796: PIT:PIT 0 Timer at 100.00 Hz mode 3
  12139079: MOUSE:Define Hortizontal range min:0 max:638
  12139142: MOUSE:Define Vertical range min:0 max:199
  12139708: FILES:file open command 0 file ad15.drv
  12139936: FILES:file open command 0 file ad15.drv
  12172478: FILES:file open command 0 file sdmain.PVS
  12172713: FILES:file open command 0 file sdmain.PVS
  12172789: FILES:file open command 0 file sdmain.PVS
  12208132: VGA:h total 100 end 80 blank (80/98) retrace (84/96)
  12208132: VGA:v total 449 end 400 blank (406/441) retrace (412/414)
  12208132: VGA:Width 320, Height 200, fps 70.086304
  12208132: VGA:double width, double height aspect 1.200000
  12249935: VGAMISC:Parts left: 4
..... the intro starts here

 so the "executables" needed for a run are:

load.exe
ega.cmn
mcga.hdr/dif/cod
ad15.drv --> soundblaster ... looks like an sys-driver (says ida freeware)

but there is no hidden-file-create or something like that :-{

« Last Edit: January 11, 2009, 02:48:03 PM by llm »

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #4 on: January 11, 2009, 04:11:43 PM »
are more detailed log (i've added some log messages to the dos-filehandling of dosbox)

-----------------------------------
dos starts load.exe itselfe
    292274: EXEC:Parsing command line: load /u MCGA /ssb
    292277: EXEC:Execute load.EXE 0
    292277: FILES:DOS_OpenFile
      292277: FILES:file open command 0 file load.EXE
    292277: FILES:DOS_ReadFile .. read exe header?
    292277: FILES:DOS_SeekFile ..
    292277: FILES:DOS_ReadFile ..
    292277: FILES:DOS_SeekFile ..
    292277: FILES:DOS_ReadFile
    ~200 calls to DOS_ReadFile
    292277: FILES:DOS_ReadFile
    292277: FILES:DOS_ReadFile
    292277: FILES:DOS_ReadFile
    292277: FILES:DOS_CloseFile
-----------------------------------
    295175: FILES:DOS_OpenFile
      295175: FILES:file open command 0 file setup.dat
    296058: FILES:DOS_WriteFile

extract of data from the load.exe?
    297261: FILES:DOS_OpenFile
      297261: FILES:file open command 0 file LOAD.EXE
    297271: FILES:DOS_SeekFile
    297279: FILES:DOS_SeekFile
    297300: FILES:DOS_CloseFile

    297736: FILES:DOS_OpenFile
      297736: FILES:file open command 0 file LOAD.EXE
    297972: FILES:DOS_ReadFile
    298098: FILES:DOS_CloseFile

    299442: FILES:DOS_OpenFile
      299442: FILES:file open command 0 file LOAD.EXE
    299595: FILES:DOS_SeekFile
    299822: FILES:DOS_ReadFile
    299946: FILES:DOS_CloseFile

    303022: FILES:DOS_OpenFile
      303022: FILES:file open command 0 file LOAD.EXE
    303258: FILES:DOS_ReadFile
    303398: FILES:DOS_CloseFile

    324105: FILES:DOS_OpenFile
      324105: FILES:file open command 0 file setup.dat

    325611: FILES:DOS_OpenFile
      325611: FILES:file open command 0 file MCGA.hdr
    325621: FILES:DOS_SeekFile
    325629: FILES:DOS_SeekFile
    325651: FILES:DOS_CloseFile

    326087: FILES:DOS_OpenFile
      326087: FILES:file open command 0 file MCGA.hdr
    326323: FILES:DOS_ReadFile
    326449: FILES:DOS_CloseFile

    331822: FILES:DOS_OpenFile
      331822: FILES:file open command 0 file ega.cmn
    331845: FILES:DOS_ReadFile
    333849: FILES:DOS_SeekFile
    333865: FILES:DOS_ReadFile
    608542: FILES:DOS_ReadFile
    884622: FILES:DOS_ReadFile
   1159489: FILES:DOS_ReadFile
   1436204: FILES:DOS_ReadFile
   1715283: FILES:DOS_ReadFile
   1995735: FILES:DOS_ReadFile
   2279468: FILES:DOS_ReadFile
   2553427: FILES:DOS_ReadFile
   2836708: FILES:DOS_ReadFile
   3117516: FILES:DOS_ReadFile
   3398665: FILES:DOS_ReadFile
   3673687: FILES:DOS_ReadFile
   3951523: FILES:DOS_ReadFile
   4257609: FILES:DOS_ReadFile
   4560061: FILES:DOS_ReadFile
   4708330: FILES:DOS_CloseFile
   4710849: FILES:DOS_OpenFile
   4710849: FILES:file open command 0 file ega.cmn
   4710872: FILES:DOS_ReadFile
   4712877: FILES:DOS_SeekFile
   4712893: FILES:DOS_ReadFile
   4987584: FILES:DOS_ReadFile
   5263664: FILES:DOS_ReadFile
   5538517: FILES:DOS_ReadFile
   5815246: FILES:DOS_ReadFile
   6094325: FILES:DOS_ReadFile
   6374777: FILES:DOS_ReadFile
   6658496: FILES:DOS_ReadFile
   6932469: FILES:DOS_ReadFile
   7215750: FILES:DOS_ReadFile
   7496544: FILES:DOS_ReadFile
   7777707: FILES:DOS_ReadFile
   8052729: FILES:DOS_ReadFile
   8330565: FILES:DOS_ReadFile
   8636637: FILES:DOS_ReadFile
   8939103: FILES:DOS_ReadFile
   9087372: FILES:DOS_CloseFile
   9089067: FILES:DOS_OpenFile
   9089067: FILES:file open command 0 file mcga.dif
   9089090: FILES:DOS_ReadFile
   9091047: FILES:DOS_SeekFile
   9091063: FILES:DOS_ReadFile
   9395235: FILES:DOS_ReadFile
   9701446: FILES:DOS_ReadFile
   9751824: FILES:DOS_CloseFile
  10375116: FILES:DOS_OpenFile
  10375116: FILES:file open command 0 file mcga.cod
  10375139: FILES:DOS_ReadFile
  10377144: FILES:DOS_SeekFile
  10377160: FILES:DOS_ReadFile
  10650078: FILES:DOS_ReadFile
  10917421: FILES:DOS_ReadFile
  11188582: FILES:DOS_ReadFile
  11480708: FILES:DOS_ReadFile
  11793549: FILES:DOS_ReadFile
  12112300: FILES:DOS_CloseFile
  12136719: PIC:0 mask FB
  12136737: PIC:0 mask F8
  12137701: INT10:Set Video Mode 13
  12137701: VGA:Blinking 0
  12137774: PIC:0 mask FB
  12137791: PIC:0 mask F8
  12137796: PIT:PIT 0 Timer set without new control word
  12137796: PIT:PIT 0 Timer at 100.00 Hz mode 3
  12139079: MOUSE:Define Hortizontal range min:0 max:638
  12139142: MOUSE:Define Vertical range min:0 max:199
  12139708: FILES:DOS_OpenFile
    12139708: FILES:file open command 0 file ad15.drv
  12139718: FILES:DOS_SeekFile
  12139726: FILES:DOS_SeekFile
  12139748: FILES:DOS_CloseFile
  12139936: FILES:DOS_OpenFile
    12139936: FILES:file open command 0 file ad15.drv
  12139947: FILES:DOS_ReadFile
  12139957: FILES:DOS_CloseFile

i hope to see logical parts inside of these files by using the information from open,seek and read



llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #5 on: January 11, 2009, 05:44:59 PM »
even more detailed - the readfile operations looks strange

    292274: EXEC:Parsing command line: load /u MCGA /ssb
    292277: EXEC:Execute load.EXE 0
    292277: FILES:DOS_OpenFile
    292277: FILES:file open command 0 file load.EXE
    292277: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 28 )
    292277: FILES:DOS_SeekFile( pos: 928, type: DOS_SEEK_SET )
    292277: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 20576 )
    292277: FILES:DOS_SeekFile( pos: 28, type: DOS_SEEK_SET )

224 x 292277: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 4 )

    292277: FILES:DOS_CloseFile
    292277: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    295175: FILES:DOS_OpenFile
    295175: FILES:file open command 0 file setup.dat
    296058: FILES:DOS_WriteFile
    297261: FILES:DOS_OpenFile
    297261: FILES:file open command 0 file LOAD.EXE
    297271: FILES:DOS_SeekFile( pos: 0, type: DOS_SEEK_END )
    297279: FILES:DOS_SeekFile( pos: 0, type: DOS_SEEK_SET )
    297300: FILES:DOS_CloseFile
    297300: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    297736: FILES:DOS_OpenFile
    297736: FILES:file open command 0 file LOAD.EXE
    297972: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 32768 )
    298098: FILES:DOS_CloseFile
    298098: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    299442: FILES:DOS_OpenFile
    299442: FILES:file open command 0 file LOAD.EXE
    299595: FILES:DOS_SeekFile( pos: 928, type: DOS_SEEK_SET )
    299822: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 20352 )
    299946: FILES:DOS_CloseFile
    299946: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    303022: FILES:DOS_OpenFile
    303022: FILES:file open command 0 file LOAD.EXE
    303258: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 32768 )
    303398: FILES:DOS_CloseFile
    303398: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    324105: FILES:DOS_OpenFile
    324105: FILES:file open command 0 file setup.dat
    325611: FILES:DOS_OpenFile
    325611: FILES:file open command 0 file MCGA.hdr
    325621: FILES:DOS_SeekFile( pos: 0, type: DOS_SEEK_END )
    325629: FILES:DOS_SeekFile( pos: 0, type: DOS_SEEK_SET )
    325651: FILES:DOS_CloseFile
    325651: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.HDR )
    326087: FILES:DOS_OpenFile
    326087: FILES:file open command 0 file MCGA.hdr
    326323: FILES:DOS_ReadFile( name: STUNTS11\MCGA.HDR, amount: 32768 )
    326449: FILES:DOS_CloseFile
    326449: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.HDR )
    331822: FILES:DOS_OpenFile
    331822: FILES:file open command 0 file ega.cmn
    331845: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 512 )
    333849: FILES:DOS_SeekFile( pos: 273, type: DOS_SEEK_SET )
    333865: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
    608542: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
    884622: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1159489: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1436204: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1715283: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1995735: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   2279468: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   2553427: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   2836708: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3117516: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3398665: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3673687: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3951523: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   4257609: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   4560061: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   4708330: FILES:DOS_CloseFile
   4708330: FILES:  DOS_CloseFile( name: STUNTS11\EGA.CMN )
   4710849: FILES:DOS_OpenFile
   4710849: FILES:file open command 0 file ega.cmn
   4710872: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 512 )
   4712877: FILES:DOS_SeekFile( pos: 273, type: DOS_SEEK_SET )
   4712893: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   4987584: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   5263664: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   5538517: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   5815246: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6094325: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6374777: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6658496: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6932469: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   7215750: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   7496544: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   7777707: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8052729: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8330565: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8636637: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8939103: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   9087372: FILES:DOS_CloseFile
   9087372: FILES:  DOS_CloseFile( name: STUNTS11\EGA.CMN )
   9089067: FILES:DOS_OpenFile
   9089067: FILES:file open command 0 file mcga.dif
   9089090: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 512 )
   9091047: FILES:DOS_SeekFile( pos: 262, type: DOS_SEEK_SET )
   9091063: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 8192 )
   9395235: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 8192 )
   9701446: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 8192 )
   9751824: FILES:DOS_CloseFile
   9751824: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.DIF )
  10375116: FILES:DOS_OpenFile
  10375116: FILES:file open command 0 file mcga.cod
  10375139: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 512 )
  10377144: FILES:DOS_SeekFile( pos: 273, type: DOS_SEEK_SET )
  10377160: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  10650078: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  10917421: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  11188582: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  11480708: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  11793549: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  12112300: FILES:DOS_CloseFile
  12112300: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.COD )
  12136719: PIC:0 mask FB
  12136737: PIC:0 mask F8
  12137701: INT10:Set Video Mode 13
  12137701: VGA:Blinking 0
  12137774: PIC:0 mask FB
  12137791: PIC:0 mask F8
  12137796: PIT:PIT 0 Timer set without new control word
  12137796: PIT:PIT 0 Timer at 100.00 Hz mode 3
  12139079: MOUSE:Define Hortizontal range min:0 max:638
  12139142: MOUSE:Define Vertical range min:0 max:199
  12139708: FILES:DOS_OpenFile
  12139708: FILES:file open command 0 file ad15.drv
  12139718: FILES:DOS_SeekFile( pos: 0, type: DOS_SEEK_END )
  12139726: FILES:DOS_SeekFile( pos: 0, type: DOS_SEEK_SET )
  12139748: FILES:DOS_CloseFile
  12139748: FILES:  DOS_CloseFile( name: STUNTS11\AD15.DRV )
  12139936: FILES:DOS_OpenFile
  12139936: FILES:file open command 0 file ad15.drv
  12139947: FILES:DOS_ReadFile( name: STUNTS11\AD15.DRV, amount: 16384 )
  12139957: FILES:DOS_CloseFile
  12139957: FILES:  DOS_CloseFile( name: STUNTS11\AD15.DRV )

Krys TOFF

  • Addicted to spam
  • *********
  • Posts: 4716
  • Stunts Career project manager
    • View Profile
Re: load.exe compression (first level)
« Reply #6 on: January 11, 2009, 06:40:35 PM »
Welcome to the community llm.
I won't take part in this discussion, too much technical for me. ;D

dstien

  • Stunts Master
  • *
  • Posts: 161
    • View Profile
    • Stunts Tools
Re: load.exe compression (first level)
« Reply #7 on: January 14, 2009, 07:26:17 PM »
CMN/DIF/COD files are compressed using the same scheme as game resource files. Image header HDR and sound driver DRV are not compressed afaik. The DOSBox debugger BPINT command takes a AH register value as its second argument, so "BPINT 21 3F" will break on DOS file read.

I'll have to dig up my Stunts notes, I think I have plenty of comments and symbol names for the uncompression subroutines. Another hacker just resurfaced here as well recently, hopefully we can collaborate to reverse the CMN/DIF/COD pathcing in order to produce a stand-alone EXE image so we don't have to deal with LOAD.EXE's self-modification.

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #8 on: January 14, 2009, 08:44:48 PM »
the HDR is an exe-file header according to the UNP-Tool and Cas

and the combined (loaded by load.exe) executables CMN/DIF and COD files are nearly the size of the exe-image-size in the HDR-File
maybe the uncompressed versions are filling the gap of just ~4kbytes :-)

@dstien:
can you upload the uncompress versions of the DIF,CMN and COD-Files?
is the load.exe still usable with the uncompressed files (like the game-data)?
« Last Edit: January 15, 2009, 04:06:20 AM by llm »

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #9 on: January 16, 2009, 09:10:54 AM »
@dstien: i get you stunpack compiled and uncompressed the files myselfe

interesting is that the uncompressed EGA.CMN + MCGA.COD is extacly
the size of bytes as state in the MCGA.HDR under exe-image size: 198613 bytes

mcga.hdr
    File Information          (in Hex)
 Header size:                      0020 --> 32
 Code size:                    000307D5 --> 198613
 Min Load size:                000383D5 --> 230357
 Min allocation (para):            07C0
 Max allocation (para):            07C0
 Initial CS:IP:               2F25:0012
 Initial SS:SP:               322D:0080
 Relocation count:                 0000
 Relo table start:                 001E
 EXE file checksum:                0000
 Overlay number:                   0000

name      filesize
mcga.hdr       30
ega.cmn    143104
mcga.cod    55509
mcga.dif    23062

ega.cmn  + mcga.cod = 143104 + 55509 = 198613 == Code size








« Last Edit: January 16, 2009, 03:14:02 PM by llm »

Duplode

  • Getting intrested in spam
  • *******
  • Posts: 3386
  • Through the astral door - to soar
    • View Profile
    • The Southern Cross Stunts Trophy
Re: load.exe compression (first level)
« Reply #10 on: January 18, 2009, 04:19:11 AM »
(I'm late, but still) Welcome, Llm! As of now I lack both knowledge and time to get actively involved in those efforts, but it's great to know the reverse engineering efforts are not a lonely struggle any more  ;) Knowledge is power!

Chulk

  • Trying out spam for the first time
  • ********
  • Posts: 3618
  • "Do, or do not. There is no try."
    • View Profile
Re: load.exe compression (first level)
« Reply #11 on: January 18, 2009, 07:35:00 AM »
This is by far the topic I less understand... but it's great to see people working on it.

Knowledge is power!
Then I'm powerless here  :D
There's a General Custer for every urban tribe

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #12 on: January 18, 2009, 03:51:28 PM »
i've added log-entries to all load.exe used dos functions (execute, file, memory) and thats the log
of the complete process after dos gives control over to load.exe itselfe

    295175: FILES:DOS_OpenFile
    295175: FILES:file open command 0 file setup.dat
    296058: FILES:DOS_WriteFile
filesize(load.exe)
    297490: MISC:DOS_AllocateMemory( segment: 15A4, blocks: 34087 = 545392 bytes )
    297576: MISC:DOS_AllocateMemory( segment: 9ACC, blocks: 1330 = 21280 bytes )
    297667: MISC:DOS_FreeMemory( segment: 15A4 )
    297736: FILES:DOS_OpenFile
    297736: FILES:file open command 0 file LOAD.EXE
    297972: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 21280 )
    298098: FILES:DOS_CloseFile
    298098: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    298528: MISC:DOS_FreeMemory( segment: 9ACC )
    299000: MISC:DOS_AllocateMemory( segment: 15A4, blocks: 25070 = 401120 bytes )
    299086: MISC:DOS_AllocateMemory( segment: 7793, blocks: 10347 = 165552 bytes )
    299177: MISC:DOS_FreeMemory( segment: 15A4 )
    299442: FILES:DOS_OpenFile
    299442: FILES:file open command 0 file LOAD.EXE
    299595: FILES:DOS_SeekFile( pos: 928, type: DOS_SEEK_SET )
    299822: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 20352 )
    299946: FILES:DOS_CloseFile
    299946: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    301086: MISC:DOS_AllocateMemory( segment: 15A4, blocks: 25061 = 400976 bytes )
    301172: MISC:DOS_AllocateMemory( segment: 778A, blocks: 7 = 112 bytes )
    301263: MISC:DOS_FreeMemory( segment: 15A4 )
    302956: MISC:DOS_AllocateMemory( segment: 15A4, blocks: 24293 = 388688 bytes )
    303022: FILES:DOS_OpenFile
    303022: FILES:file open command 0 file LOAD.EXE
    303258: FILES:DOS_ReadFile( name: STUNTS11\LOAD.EXE, amount: 21280 )
    303398: FILES:DOS_CloseFile
    303398: FILES:  DOS_CloseFile( name: STUNTS11\LOAD.EXE )
    321005: MISC:DOS_FreeMemory( segment: 15A4 )
    321128: MISC:DOS_ResizeMemory ( segment: 7793, blocks: 5243 )
    324105: FILES:DOS_OpenFile
    324105: FILES:file open command 0 file setup.dat
    325611: FILES:DOS_OpenFile
filesize(mcga.hdr)
    325651: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.HDR )
    325841: MISC:DOS_AllocateMemory( segment: 15A4, blocks: 25057 = 400912 bytes )
    325927: MISC:DOS_AllocateMemory( segment: 105, blocks: 2 = 32 bytes )
    326018: MISC:DOS_FreeMemory( segment: 15A4 )
    326087: FILES:DOS_OpenFile
    326087: FILES:file open command 0 file MCGA.hdr
    326323: FILES:DOS_ReadFile( name: STUNTS11\MCGA.HDR, amount: 30 )
    326449: FILES:DOS_CloseFile
    326449: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.HDR )
    329267: MISC:DOS_FreeMemory( segment: 128 )
    329354: MISC:DOS_AllocateMemory( segment: 128, blocks: 14446 = 231136 bytes )
    331822: FILES:DOS_OpenFile
    331822: FILES:file open command 0 file ega.cmn
    331830: MISC:DOS_AllocateMemory( segment: 3997, blocks: 512 = 8192 bytes )
    331845: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 512 )
    333849: FILES:DOS_SeekFile( pos: 273, type: DOS_SEEK_SET )
    333865: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
    608542: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
    884622: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1159489: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1436204: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1715283: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   1995735: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   2279468: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   2553427: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   2836708: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3117516: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3398665: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3673687: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   3951523: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   4257609: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   4560061: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 4184 )
   4708324: MISC:DOS_FreeMemory( segment: 3997 )
   4708330: FILES:DOS_CloseFile
   4708330: FILES:  DOS_CloseFile( name: STUNTS11\EGA.CMN )
   4710849: FILES:DOS_OpenFile
   4710849: FILES:file open command 0 file ega.cmn
   4710857: MISC:DOS_AllocateMemory( segment: 3997, blocks: 512 = 8192 bytes )
   4710872: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 512 )
   4712877: FILES:DOS_SeekFile( pos: 273, type: DOS_SEEK_SET )
   4712893: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   4987584: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   5263664: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   5538517: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   5815246: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6094325: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6374777: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6658496: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   6932469: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   7215750: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   7496544: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   7777707: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8052729: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8330565: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8636637: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 8192 )
   8939103: FILES:DOS_ReadFile( name: STUNTS11\EGA.CMN, amount: 4184 )
   9087366: MISC:DOS_FreeMemory( segment: 3997 )
   9087372: FILES:DOS_CloseFile
   9087372: FILES:  DOS_CloseFile( name: STUNTS11\EGA.CMN )
   9089006: MISC:DOS_AllocateMemory( segment: 3997, blocks: 15090 = 241440 bytes )
   9089067: FILES:DOS_OpenFile
   9089067: FILES:file open command 0 file mcga.dif
   9089075: MISC:DOS_AllocateMemory( segment: 748A, blocks: 512 = 8192 bytes )
   9089090: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 512 )
   9091047: FILES:DOS_SeekFile( pos: 262, type: DOS_SEEK_SET )
   9091063: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 8192 )
   9395235: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 8192 )
   9701446: FILES:DOS_ReadFile( name: STUNTS11\MCGA.DIF, amount: 1312 )
   9751818: MISC:DOS_FreeMemory( segment: 748A )
   9751824: FILES:DOS_CloseFile
   9751824: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.DIF )
  10374975: MISC:DOS_FreeMemory( segment: 3997 )
  10375116: FILES:DOS_OpenFile
  10375116: FILES:file open command 0 file mcga.cod
  10375124: MISC:DOS_AllocateMemory( segment: 3997, blocks: 512 = 8192 bytes )
  10375139: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 512 )
  10377144: FILES:DOS_SeekFile( pos: 273, type: DOS_SEEK_SET )
  10377160: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  10650078: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  10917421: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  11188582: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  11480708: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 8192 )
  11793549: FILES:DOS_ReadFile( name: STUNTS11\MCGA.COD, amount: 7666 )
  12112294: MISC:DOS_FreeMemory( segment: 3997 )
  12112300: FILES:DOS_CloseFile
  12112300: FILES:  DOS_CloseFile( name: STUNTS11\MCGA.COD )
  12112455: MISC:DOS_FreeMemory( segment: 105 )
  12112594: MISC:DOS_FreeMemory( segment: 778A )
  12112682: MISC:DOS_FreeMemory( segment: 7793 )
  12135695: MISC:DOS_ResizeMemory ( segment: 128, blocks: 14446 )
  12136719: PIC:0 mask FB
  12136737: PIC:0 mask F8
  12137300: MISC:DOS_AllocateMemory( segment: 3997, blocks: 100 = 1600 bytes )
  12137311: MISC:DOS_ResizeMemory ( segment: 3997, blocks: 26217 )
  12137316: MISC:DOS_ResizeMemory ( segment: 3997, blocks: 26216 )
  12137701: INT10:Set Video Mode 13
  12137701: VGA:Blinking 0
  12137774: PIC:0 mask FB
  12137791: PIC:0 mask F8
  12137796: PIT:PIT 0 Timer set without new control word
  12137796: PIT:PIT 0 Timer at 100.00 Hz mode 3
  12139079: MOUSE:Define Hortizontal range min:0 max:638
  12139142: MOUSE:Define Vertical range min:0 max:199
filesize(ad15.drv)
  12139936: FILES:DOS_OpenFile
  12139936: FILES:file open command 0 file ad15.drv
  12139947: FILES:DOS_ReadFile( name: STUNTS11\AD15.DRV, amount: 3571 )
  12139957: FILES:DOS_CloseFile
  12139957: FILES:  DOS_CloseFile( name: STUNTS11\AD15.DRV )
  12172478: FILES:DOS_OpenFile
  12172478: FILES:file open command 0 file sdmain.PVS
  12172488: FILES:DOS_ReadFile( name: STUNTS11\SDMAIN.PVS, amount: 4 )
  12172496: FILES:DOS_CloseFile
  12172496: FILES:  DOS_CloseFile( name: STUNTS11\SDMAIN.PVS )
filesize(sdmain.pvs)
  12172789: FILES:DOS_OpenFile
  12172789: FILES:file open command 0 file sdmain.PVS
  12172800: FILES:DOS_ReadFile( name: STUNTS11\SDMAIN.PVS, amount: 1176 )
  12172810: FILES:DOS_CloseFile
  12172810: FILES:  DOS_CloseFile( name: STUNTS11\SDMAIN.PVS )

my intention/questions:
-what does load.exe read from itselfe (the readfile operations on load.exe are invoked by the load.exe code itselfe)
-which memory segement is used to store the combinde code? (some segement are not freed)
-reduce the amount of unknowns to the absolute minimum - before starting the disassembler-party
-find a good starting point in the game-startup process for going through the disassembled code
any other ideas what is interesting to see in the log?

todo: find out which allocated segement are used for the readfiles
and (more important) which not (needed for holding the uncompressed code)

and what i can say so far is:
-the cmn,cod,dif,hdr,drv executables are loaded only at load.exe startup - no later access to these files (that means the code IS completely in ram)
-it seems that the video-stuff (mcga init, ...) is activated before the sound-drv

anyone interested in my small dosbox changes to produce the same log?

and a question about dos memory:
is a paragraph 16bytes?
and why can i allocate (in my log) memory larger than 64kb?

is there a better place for posting my logs
« Last Edit: January 18, 2009, 04:03:40 PM by llm »

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #13 on: January 18, 2009, 04:57:54 PM »
the allocation for segment 128 is the right size (from mcga.hdr)
and with the allocation for segment: 3997 the only memory which survive the alloc/free startup process
until mcga init

for segment 128 (the 5. memory-function after filesize(mcga.hdr))
329354: MISC:DOS_AllocateMemory( segment: 128, blocks: 14446 = 231136 bytes )

...

for segment 3397 (the 3. line before  12137701: INT10:Set Video Mode 13)
MISC:DOS_AllocateMemory( segment: 3997, blocks: 100 = 1600 bytes )

these two need to hold the code - because all others are freed :-)

a way to dump the memory into a file?

llm

  • Stunts Maniac
  • *
  • Posts: 54
    • View Profile
Re: load.exe compression (first level)
« Reply #14 on: January 18, 2009, 07:20:43 PM »
i've dumped the segment: 128 into a file (memdumpbin 128:0 length in hex)
and the segment 3397

~ = uncompressed and modified

memdump_128 = ~ega.cmn~ + ~mcga.cod~

and it seams the the last part of the file is the uncompressed mcga.cod with small differences
the front seems to be the ega.cmn also with small differences (in some blank fields of the original file is now "ad15.drv" etc...)

the header of the dump from segement 3397 is the adv15.drv (also with small modifications)
then the uncompressed mcga.dif (minor modifications) and the load.exe at the end

memdump_3397 = ~adv15.drv~ + ~mcga.diff~ + big_unknown_block + ~load.exe~

i need a very very good diff tool - i tried araxis merge at my company - but i need something free

the small modifications can be a bug in the stunpack algorithm or unitialized data or something
« Last Edit: January 18, 2009, 08:07:45 PM by llm »