| Sierrie Online HiRes Adventures... show all rooms? is this possible with debugger editor? [message #384375] |
Sat, 08 June 2019 15:57  |
Apple2Games
Messages: 24
Registered: October 2012
Karma: 0
|
Junior Member |
|
|
Hi all...
Playing around with Scumm VM and looking at the source code. Not a C programmer but I see the code for the old HiRes adventures all call different rooms based on where the user is. So I am wondering if it is possible with AppleWin or any other emulator to manipulate the registers and jump from room to room without having to actually solve the puzzles? I was sector editing Wizard and the Princess to see what I could see and I was seeing a LOT of phrases from Mission Asteroid and some that I didn't recognize at all. So that got me thinking on this. However... I'm terrible with the AppleWin editor and wouldn't know what to look at or for.
-Dave
|
|
|
|
| Sierrie Online HiRes Adventures... show all rooms? is this possible with debugger editor? [message #384388 is a reply to message #384375] |
Sun, 09 June 2019 12:09  |
Michael AppleWin Debu
Messages: 1262
Registered: March 2013
Karma: 0
|
Senior Member |
|
|
Dave,
Technically, AppleWin doesn't have an editor -- just a debugger. Maybe someday but for now we are "stuck" with a bare-bones debugger command line. With the pedantry out of the way to answer your question. :-)
1. You easily manipulate register(s) in the debugger.
Press F7 to toggle the debugger.
Then to set the PC, A, X, Y, or S register(s) use the R command.
R A 12
You can type HELP R to get a mini-help. (Hmm, looks like not being able to set the P register is a bug.)
Press F7 to exit the debugger.
2. Again, technically, this newsgroup isn't /r/ReverseEngineering but part of reverse engineering is understanding what, how, and why the code is doing what it is doing.
I would *highly* recommend you read Don Lancaster's excellent
Tearing into Machine Language Code
https://www.tinaja.com/ebooks/tearing_rework.pdf
While I'm not familiar with Mystery House HiRes Adventure and I am NOT going explain in detail HOW TO do reverse engineering I will share some tips. I took a quick look at /images/games/adventure/mystery_house.dsk and I can explain the process I typically use to reverse engineer a game when I spent a few minutes with it -- most it typing this stuff up. :-)
Fire the game up, press G to start a new game, wait for the house to draw and then press F7 to enter the debugger.
I like to see what graphics page(s) are being used. Since this is using higher resolution type:
HGR
and then press a key.
I like to know if the game is using page 2, so back at the debugger type:
HGR2
and press a key. Looks like $4000+ is using for either code/data.
I also like to know if the Pseudo "Page 3" is being used (Ultima 4, Conan, etc.) but since Mystery House is only using one page of graphics I'm going to skip this step.
Next, I like to view the entire 48 KB as a ASCII/hex dump just to see what goodies are scattered around. You can use the undocumented DATA command for this but that requires that we first set a "Mini Dump" view. The command MA1 shows memory as ASCII in the bottom right. The DATA command will switch the debugger from viewing code to viewing data.
MA1 800
DATA
Oooh, what's this? We have left over source code in memory!?
; DO THE ACTION
; GET THE # OF ACTIONS TO DO
You can use the arrow keys to scroll for granular control but I like to use Page Up/Down for coarse perusing. Paging down to 1700 we see the what is probably the NOUNS the interpreter understands! You can also enter this to directly jump to the memory location:
MA1 1700
We see:
DAISY
AFLOWER
BILL
@JOE
@SALLY
Scrolling down we come across this comment @ ~1CD8:
;UPDATE THE ROOM
(ZAWORK),Y
#OXCOORD
;SET THE X COORD
(ZAWORK),Y
#OYCOORD
;SET THE YCOORD
(ZAWORK),Y
;SWITCH TO PERMANENT VIEW FOR THIS ROOM
;
#BASEPIC
(CUROOM),Y
#RCURPIC
(CUROOM),Y
While this doesn't explicitly answer the question, it may implicitly help as it gives us an idea of the "pattern" of code we may want to keep our eyes out for. Assuming the comments are up-to-date of course. :-)
CUROOM = 16-bit pointer to Current Room. The Y register is being used to access which member variable. In C this would look:
struct Room_t
{
uint8_t ox_coord;
uint8_t oy_coord;
uint8_t base_pic;
uint8_t room_cur_pic;
}
Of course those fields could be in ANY order -- that's what you need to figure out. The correct offsets for them.
Scrolling to $4000 we come across this gem:
G
EEENTER
RUN
EXIT
LEAVE
WALK
U
CUP
CLIMB
Looks like these are the VERBS the interpreter understands.
Creating a "mental map" of a "memory block diagram" is **essential** in reverse engineering:
+------+
| 0800 | ???
+------+
| 1700 | Nouns
+------+
| 1C00 | ???
+------+
| 2000 | HGR Page 1
+------+
| 4000 | VERBS
+------+
| 4340 | Data: X,Y coords of graphics???
+------+
| 5C00 | unused
+------+
| 6100 | code
+------+
| 6E00 | unused
+------+
| 7000 | code
+------+
| 7130 | unused
+------+
| 7200 | code
+------+
| 7730 | unused
+------+
| 7900 | code
+------+
| 7A78 | unused
+------+
| 7D00 | code
+------+
| 8068 | unused
+------+
| 9600 | DOS 3.3B
| BFFF |
+------+
But I'm getting ahead of myself.
Normally when I start tearing into a game I start with "known" attack vectors. On the Apple 2 this means searching memory for where the speaker ($C030) or the keyboard ($C000) is accessed. Since we viewed memory from $0800 ... $4300 this means we don't need to search that block of memory. However, this isn't your typical action game so we'll take a different approach to locating where the "main loop" is.
Remember when we first entered the debugger? Noticed we were in the 80-column firmware @ $C2xx. Type CODE to switch back to code view, and then press TAB to show where the PC is.
CODE
<TAB>
We can set a break point to just after getting a key.
BPX C290
<F7>
L
That last key L can be anything you press on keyboard that is passed to the emulator.
Let's trace out of the firmware back into the game. You can press SPACE to single-step. Do that around 15 times and we end up back at $9EB1. Hmm, this code looks a lot like DOS 3.3 code!
BC00L
And we see a page full of zeroes. Pretty good chance this is DOS 3.3.
MA2 B3AD
Oh look "DISK VOLUME " spelt backwards.
" EMULOV KSID"
Yup, this is DOS 3.3.
If you are curious you can refer to my DOS 3.3 annotated listing:
https://htmlpreview.github.io/?https://github.com/Michaelang el007/apple2_dos33/blob/master/dos33.html
Looks this is DOS 3.3B since the Version Easter Egg @ $B6D0 is present.
"B01-00"
Anyhoo, getting back to the game. Page $96 looks interesting!
MA1 9600
DATA
Looks like the room description!
Scrolling up we come across a couple more interesting snippets:
7330: <Ctrl-D>BLOAD BLOCK1 ,A$7D00<Ctrl-M>
7408: I CANT GO IN THAT DIRECTION
7500: <Ctrl-D>READ MESSAGES,B$0D79
One attack vector might be to set a break point on that memory location "I CANT GO .." when it is accessed.
BPM 740A
G
Continuing to view memory we noticed this message:
63B8: c Uv----
63C0: --------
63C8: --- ENTE
63D0: R COMMAN
63D8: D $00 $RTS
Looks like we found the start of the main loop! It is common in 6502 to "interleave" code and data and this is no exception. In assembly this would look like
JSR $7615
ASC "---- -------- --- ENTER COMMAND"
DB 0
RTS
We can set another break point at $63DA
BPX 63DA
We can see that this the start of the input prompt.
Let's clean up the debugger display so it doesn't try to display data as code.
ASC 63BC:63CB
ASC 63CC:63D9
We now see this:
63B9:20 15 76 JSR $7615
63BC:AD AD AD T_63BC ASC "--------------- "
63CC:C5 CE D4 T_63CC ASC "ENTER COMMAND@"
63DA:60 RTS
63DB:A9 BF LDA #$BF ?
63DD:85 33 STA PROMPT 0033:BF ?
63DF:20 6A FD JSR GETLN
63E2:AD 00 02 LDA LBUFF/IN 0200:CC L
63E5:C9 8D CMP #$8D M
63E7:F0 09 BEQ $63F2
63E9:8E 31 08 STX $0831 0831:01 A
63EC:A9 00 LDA #$00 @
63EE:8D 32 08 STA $0832 0832:01 A
63F1:60 RTS
63F2:AD CB 64 LDA $64CB 64CB:00 @ 50:GR./TEXT ASCII at 63B8
63F5:C9 FF CMP #$FF 52:FULL/MIX c Uv------------
63F7:F0 0B BEQ $6404 54:PAGE 1/2 --- ENTER COMMAN
63F9:A9 FF LDA #$FF 56:LO/HIRES D@`)?E3 j}-@BIMp
63FB:8D CB 64 STA $64CB 64CB:00 @ 5E:DHGR/HGR IN1H)@M2H`-KdI p
63FE:AD 51 C0 LDA TXTSET C051:00 @ 00:80Sto0/1 ASCII at B4C8
6401:4C DB 63 JMP $63DB 02:Rm/xWm/x BHELLO
6404:A9 00 LDA #$00 @ 0C:Col40/80 C
6406:8D CB 64 STA $64CB 64CB:00 @ 0E:ASC/MOUS @!LBMYSTERY.HELL
6409:AD 50 C0 LDA SW.TXTCLR C050:00 @ 80:B2/M R/W O
640C:AD 53 C0 LDA SW.MIXSET C053:00 @ 88:B1/M
Much better. ;-)
We can see that the game is using the monitor ROM (which chains to DOS 3.3 input)
via the snippet at 63DF:
63DF: JSR GETLN
63E3: LDA LBUFF/IN
63E5: CMP #$8D ; RETURN = Ctrl-M
Single Stepping we are returned to $6308
6300: LDA #00
6303: STA $0830
6305: JSR $63B9
6308: JSR $63DB
We can now start replacing this hex number with meaningful labels.
SYM PrintInputPrompt = 63B9
SYM GetInputLine = 63DB
As I mentioned this is NOT a HOW TO reverse engineer tutorial but with some
time, thinking, patience, you can slowly reverse engineer what the game is doing.
You'll be spending a *lot* of time looking at how the interpreter / virtual machine is implemented.
i.e.
http://thedoteaters.com/?bitstory=computer/mystery-house-and -sierra-on-line
However, Mystery House does contain 70 images, rough outlines created by Roberta on a VersaWriter tablet using a metal arm with an electronic eye at the tip. With this arm, an image drawn on paper can be traced, and Ken writes a program to convert the drawings into plotting commands that the computer will execute, drawing the illustrations without having to take up too much memory space. He also invents a special language to create the game, for use only in making graphic adventure games, called the Sierra Creative Interpreter. SCI takes the same route as competitor Infocom’s ZIL; it is a platform-agnostic language that can be easily adapted to any computer.
Hope this helps!
Cheers,
Michael
|
|
|
|
| Sierrie Online HiRes Adventures... show all rooms? is this possible with debugger editor? [message #384391 is a reply to message #384388] |
Sun, 09 June 2019 12:43 |
Michael AppleWin Debu
Messages: 1262
Registered: March 2013
Karma: 0
|
Senior Member |
|
|
You'll also want to take a look at this utility left on disk!
LOAD PIC SIZES
LIST
Which is this simple Applesoft file:
10 D$ = CHR$ (4)
20 LBASE = 10 * 4096 + 10 * 256 + 6 * 16
30 BLK = 1
40 PRINT D$;"BLOAD BLOCK"BLK
50 PRINT PEEK (LBASE + 1) * 256 + PEEK (LBASE)
60 BLK = BLK + 1
70 GOTO 40
Looks like Ken was first learning how to program as that's a long-winded way to get the DOS 3.3 File Length at $AA60 via the $A, $A, $6. ;-)
LBASE = 43616 = $AA60
Anyhoo, making two small changes to make the output much nicer:
45 PRINT "#";: IF BLK < 10 THEN PRINT " ";
46 PRINT BLK;", ";
65 IF BLK = 20 THEN END
We get this output when RUN
# 1, 874
# 2, 1180
# 3, 872
# 4, 770
# 5, 780
# 6, 756
# 7, 1030
# 8, 906
# 9, 898
#10, 904
#11, 1012
#12, 818
#13, 772
#14, 826
#15, 790
#16, 780
#17, 802
#18, 760
#19, 264
The default address for these BLOCK files is $4400. They could be p-code or compressed data for how to draw the rooms?
The game apparently has 70 rooms but only BLOCK1 .. BLOCK19 files.
Michael
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
