Dangerous Dave Source Code

0 views

Skip to first unread message

Gano Richardson

unread,

Aug 3, 2024, 5:07:21 PM8/3/24

to stifbilinsay

Opening the file using the freeware version of IDA Pro, I got informed that the file is possibly a packed file. This means I should expect a big lump of data and some bootstrapping code that would unpack that data into executable code.

To disassemble the code I will use nasm. I want to start disassembling at offset 0x129A0 from the start of the file, and skip the first 0xE(=14) (allegedly) data bytes. The former is facilitated by the -e switch, and the latter by specifying a sync point using the -s switch (you can read all about the different switches here) like this:

The only interesting observation which can be made here is that 9812 looks a lot like an little endian encoding of 0x1298 which is exactly the size of the packed code in paragraphs, so we can name it: word_0x8 = 0x1298 = packed code paragraphs.

Basically a memcpy of a chunk of 0x18a bytes from the beginning of the current segment, to some address located 0x178d paragraphs forward. This chunk is exactly the all code from the start of the segment to the end of the file, which means that the bootstrapping code itself is copied forward in memory to make room for the unpacked data.

One thing to notice is the method with which the code is copied. The addresses loaded into the source (ds:si) and destination (es:di) point to the end of the copied buffers, and the direction flag (DF) is set (by the std instruction) so after each movsb the si and di registers will decrease.

This just pushes the new segment address of the copy of the bootstrap code (in bx), and then the offset 0x2b, making the retf serve as a far jump to bx:0x2b. Since there is no difference between the running code and its copy, we can just look at offset 0x2b in the current code to see where the program will continue execution.

This is a piece of code which will repeat a lot. What it does is shift the LSB of the control word into the CF, then update the remaining bits count (in dx) and if it has reached 0, the next control word is loaded into bp and the remaining bits count is reset.

This code actually handles the bit we pushed from the control word into the CF. If CF is set (control bit was 1) then copy a byte from the packed code to the unpacked code as-is and continue reading the next control bit. Otherwise (control bit was 0) continue with:

This code separates two values encoded into the word. The 3 least significant bits of the high byte are loaded into ax, while the remaining 5 most significant bits are shifted right. The or bh,0xe0 causes bx to contain the signed (and negative) value of its former value minus 8192.

This code just sets up the initial stack address (segment & offset), which also means that we can identify var_0x6 as the initial stack segment and var_0x4 as the initial stack offset. The code also loads var_0x2 with the segment address of the code start. The next (and last) instruction will reveal why:

This is a far jump, meaning that the address is loaded from two words at cs:0, the first (var_0x0) is the offset, and the second (var_0x2) is the segment, which means that the entry points in the unpacked code is simply its beginning.

This is a list of commercial video games with later released available source code. The source code of these commercially developed and distributed video games is available to the public or the games' communities.

Commercial video games are typically developed as proprietary closed source software products, with the source code treated as a trade secret (unlike open-source video games).[1] When there is no more expected revenue,[citation needed] these games enter the end-of-life as a product with no support or availability for the game's users and community.[2]

In several of the cases listed here, the game's developers released the source code expressly to prevent their work from becoming lost. Such source code is often released under varying (free and non-free, commercial and non-commercial) software licenses to the games' communities or the public; artwork and data are often released under a different license than the source code, as the copyright situation is different or more complicated. The source code may be pushed by the developers to public repositories (e.g. SourceForge or GitHub), or given to selected game community members, or sold with the game, or become available by other means.Source code availability in whatever form allows the games' communities to study how the game works, make modifications, and provide technical support themselves when the official support has ended,[2] e.g. with unofficial patches to fix bugs or source ports to make the game compatible with new platforms.

Some developers that have released their source code have concluded that, in general terms, such action has not been harmful and even beneficial, among them Alec Holowka (Aquaria), Adam Saltsman (Canabalt),[3] John Carmack (Wolfenstein 3D, Doom, Quake),[4] Brian Hook (Quake II),[5] and Terry Cavanagh (VVVVVV).[6] Wolfire Games also noted (along with Saltsman) that releasing the source code didn't reduce sales.[3][7] However, releasing the source code may and has led to clones using the original proprietary assets from the game, with two notable examples of games having clones thanks to the source release being Canabalt and Lugaru HD. Although Saltsman has noted that those clones can be removed from storefronts with a DMCA takedown notice,[3] Jeff Rosen, co-founder of Wolfire Games, has recognized that such practices may discourage game developers from releasing their code.[8]

The games in this table were released under a free and open-source license with free content which allows reuse, modification and commercial redistribution of the whole game. Licenses can be public domain, GPL, BSD, Creative Commons, zlib, MIT, Artistic License or other (see the comparison of Free and open-source software and the Comparison of free and open-source software licenses).

Only the game engines in this table are developed under an open-source license, which means that the reuse and modification of only the code is permitted. The assets are provided free of charge to the final user, but with some restrictions. Note that both the engine and the game code must be available under a license approved by the OSI and/or the FSF, if it was made with a licensed engine.

Only the game engines in this table are developed under an open-source license, which means that the reuse and modification of only the code is permitted. The assets are not provided for free and must be bought by the final user. Note that both the engine and the game code must be available under a license approved by the OSI and/or the FSF, if it was made with a licensed engine.

In September 2017 a community developer managed to fix the dependencies of the Open source release, recompile the executable, fixing several bugs and introducing higher resolution support for the game.[350]

Video games in this table are source-available, but are neither open-source software according to the OSI definition nor free software according to the Free Software Foundation. If the source code is given out without specified license or public domain waiver it has legally to be considered as still proprietary due to the Berne Convention. The assets are provided free of charge to the final user, but with some restrictions.

I had a lot of "fun" this past week getting my latest project up and running: the Fujitsu Futro S400 thin client. I achieved success in getting Windows 98SE up and running. I then used that as a springboard to get my pure DOS games up and running like Duke3D, Doom 1/2, Indiana Jones and the Fate of Atlantis, Day of the Tentacle, and Wing Commander 1 with fully working sound on the Yamaha YMF724 PCI sound card.

Issue 1: Getting the YMF724 PCI sound card up and running was a challenge, as it kept defaulting to IRQ 11 in DOS with the YMF7x4 DOS Drivers.
Resolution 1:
- Via BIOS: Limited active IRQ/DMA system devices by disabling USB Controller, SiS AC97 built-in audio, serial port 1, and parallel port
- Via BIOS: Set PCI resource control to "manual"
- VIA BIOS: Reserved IRQ 5 for PCI device
- Ran patched YMF724 drivers for SiS chipsets from
- ???
- Profit!

Issue 2: Slowing down the S400 to handle more speed sensitive games
Resolution 2: Used SetMul tool with the following parameters "setmul.exe 3 l1d" to lower the clock multiplier to 3x and disable the CPU L1 cache

but for SiS chipsets, because it would be better and more precise way for slowdown than SetMul. I guess in theory it's not that hard such tool to be made, i.e. set the PLL chip via SMBus and actually the source code included in ALS4000 patched drivers, already has all routines necessary to access the SiS chipset registers, which means it can be used as base with slight modification for such tool to be made. maybe, when have time, I should look at that further...

I will most certainly do, I've already took out 2 of my Futro S400 from storage, but I don't know where I put the power supplies, which is what is stopping me at the moment. However, while I am looking for the power adapters, in case someone else is interested, here is how simple (or maybe hard) it looks to me at the moment1: