News:

Printed Amstrad Addict magazine announced, check it out here!

Main Menu
avatar_betpet

Reverse engineering Laser Squad

Started by betpet, 12:16, 01 September 10

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

betpet

Hi guys,

I've set myself the task of reverse engineering a few old games.  First on the list is Laser Squad.  Woo hoo! :)

Anyway, I've got a decent grasp of Assembler but that doesn't mean I'm any good at it.  What I'm after is either a hex dump or a conversion to Assembler of the core Laser Squad game plus the data from the mission files.  Could someone either tell me how to do it or supply me with those files?

Pretty please?

Also, on a related note, how do I write labels in WinAPE Assembler?  Adding a .name=&E020 throws an error claiming it's expecting an instruction.
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

arnoldemu

Quote from: betpet on 12:16, 01 September 10
Hi guys,

I've set myself the task of reverse engineering a few old games.  First on the list is Laser Squad.  Woo hoo! :)

Anyway, I've got a decent grasp of Assembler but that doesn't mean I'm any good at it.  What I'm after is either a hex dump or a conversion to Assembler of the core Laser Squad game plus the data from the mission files.  Could someone either tell me how to do it or supply me with those files?

Pretty please?

Also, on a related note, how do I write labels in WinAPE Assembler?  Adding a .name=&E020 throws an error claiming it's expecting an instruction.

.name equ &e020 is what you need.

Ok try this:

1. Run game and save a snapshot (old v2 style snapshot)
2. Run a tool like dz80 (www.inkland.org.uk)
3. In options set start to 0, set end to 65535, set file start to 0. set file hdr to 256.
4. go back and do dissassemble
5. Now open file and see mixed opcodes and dissassembly.

Now look over and you'll hopefully see bits you may recognise from other games or see bits and work out what they are doing.

You can also use winape or similar to find the main loop. Break the game and trace it for a bit until you find the main loop.
You can also use winape to find the interrupt handler.

So dissassembly plus running winape and setting breakpoints will help you to find out stuff.

My games. My Games
My website with coding examples: Unofficial Amstrad WWW Resource

betpet

Thanks!  That's a great start.  How should I go about getting the mission data files from the image?
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

arnoldemu

Quote from: betpet on 12:35, 01 September 10
Thanks!  That's a great start.  How should I go about getting the mission data files from the image?
I would find where they are loaded into ram.
Then you can also find where the code is to load them.
When in ram, you can test your ideas by poking the memory directly within winape, so you can then discover the form and what the values mean.

Then you may be able to drop in your own data into winapes memory (assemble it into place after game has loaded).

If all works well, the final step would be to work out how it is loaded and encode your data into that form.
But, getting it running within the emu and in a form you understand is a massive part of it!
My games. My Games
My website with coding examples: Unofficial Amstrad WWW Resource

betpet

Thanks again.  For anyone interested, here's the disassembled code from the instructions above.  Now the hard part - working out what it does!
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

andycadley

Bear in mind that a straight disassembly from 0 may not get you usable code, if there is data preceding (or intermingled) with code sections it'll throw the disassembler off. Sitting down with a disassembly from a single point is rarely the most productive way of reverse engineering code.

When doing this sort of thing, I generally prefer to start from identifying key locations in the program. A graphics viewer can often help you locate the sprites, which often eliminates large chunks of memory from needing to be disassembled, as does using a running copy in an emulator to identify where the screen is located and the location of the interrupt routines (easily determined from the interrupt mode and content of the I register).

It's then best to locate the entry point and start disassembly from there and do small bits at a time. Usually working on the startup code will help identify key data locations and it's often relatively easy to locate the main game loop. Using breakpoints and occasionally NOPing out calls to routines can also help I find.

betpet

What's the best way to find the entry point?
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

fano

#7
Quote from: betpet on 13:24, 01 September 10
What's the best way to find the entry point?
Maybe not the best but i'll post my method , which may look obvious , i used it for RD128+ and for R-Type.For me , the best way is the live approach with a debugger like the Winape one.You can first collect some informations about loader with entry point (amsdos header).You can too trace it a bit to see screen configuration , and some clues that will give you an idea about the memory layout.
One of the most interesting thing is to locate the program main loop and to see how the program goes to it.
You can put a breakpoint on ISP (#38 in IM1) and trace the stack to see where ISP will return.After that , trace a bit the stack to locate the main loop.Generaly ,you will find the return address to main loop near the stack base.
When , you'll have located the main loop , you can remove/modify some calls to have an idea if you have absolutely no idea about  a function usage , sometimes that allows you to understand some code.
Same thing, when you know where is the main loop , you can trace from entry point to the main loop and will be to find initialization functions.
"NOP" is the perfect program : short , fast and (known) bug free

Follow Easter Egg products on Facebook !

betpet

Woah!  That sounds quite fiddly.  I'll give it a go :)
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

arnoldemu

Quote from: andycadley on 13:23, 01 September 10
Bear in mind that a straight disassembly from 0 may not get you usable code, if there is data preceding (or intermingled) with code sections it'll throw the disassembler off. Sitting down with a disassembly from a single point is rarely the most productive way of reverse engineering code.
This is true, the dissassembly will contain data that has been dissassembled as z80 instructions.
However, and maybe it is because I have looked at the code from quite a lot of games, I can normally look over the dissassembly and instantly recognise the sprite drawing code, the main loop, the interrupt routine, the music driver too.

The best method is to find the main loop and start to "rem" out the calls and see what they do (replacing cd xx xx with 0,0,0,0), although sometimes more than 1 call will do the whole job (e.g. sprites).

Mostly poking the game at runtime is good and poking the ram when you think you have found the map and seeing it change on the screen (or maybe after you have scrolled).

My games. My Games
My website with coding examples: Unofficial Amstrad WWW Resource

arnoldemu

Quote from: betpet on 12:43, 01 September 10
Thanks again.  For anyone interested, here's the disassembled code from the instructions above.  Now the hard part - working out what it does!
Looking at the code it has some code left over from the Spectrum version.. this will confuse things a little.
(Some access to port &FE). But most of the code is probably for CPC.

57de is for writing to AY sound chip.
C = register, A = data

57fe is the level loader using direct access to fdc. ends at 5994 (data is written to IY)
There is code for reading and writing here./

12c8 seems to be code to read a key from the keyboard. A = key value

1314 or so reads from the keyboard.

1366 sets up the keyboard for reading I think, it wants to read joystick here it seems

it seems firmware interrupts are active at the point you made the snapshot.




My games. My Games
My website with coding examples: Unofficial Amstrad WWW Resource

betpet

Quote from: arnoldemu on 09:49, 02 September 10
1366 sets up the keyboard for reading I think, it wants to read joystick here it seems

it seems firmware interrupts are active at the point you made the snapshot.

The point I made the snapshot is where the game has loaded and asks whether you want it in French or English.  Once you have selected your language, you can select a scenario and load it up.
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

ivarf

Very interesting thread, even for us that haven't done any Z80 coding yet  :D

betpet

Glad you're enjoying.  It's a good exxercise for the learner even if it has a steep learning curve.  A learned friend at Retro Remakes seems to think the entry point is at &B900.  I haven't had a chance to check though.
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

arnoldemu

Quote from: betpet on 08:13, 03 September 10
Glad you're enjoying.  It's a good exxercise for the learner even if it has a steep learning curve.  A learned friend at Retro Remakes seems to think the entry point is at &B900.  I haven't had a chance to check though.
Are you working on a remake, or are you working on a scenario editor for the cpc version?

I am thinking that when the scenario is loaded it will also bring in some code, some specific to the scenario itself and some general (possibly for sprite drawing etc).
My games. My Games
My website with coding examples: Unofficial Amstrad WWW Resource

Axelay

I was also wondering if the goal was for a mission editor?  Laser squad was one of my favourite games back in the day, though I cant really stand playing it these days (because of the exceptionally poor accuracy of the soldiers).

betpet

It's a possibility.  I was looking more in the lines of remaking the game in a modern system (using XNA and c#) but with the correct calculations for morale, action points, etc.  My findings could certainly be used to create a mission editor at a future date.

A tip you may find useful.  You can autoshot at short range but fire long range with decent accuracy.  By this I mean that if you had an enemy a few squares away, instead of placing the spray angle on the enemy's head and feet, place a narrow angle next to your soldier and your accuracy will improve significantly as you're aiming close by but the shot keeps going until it hits something (i.e. the enemy)
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

Executioner

WinAPE can disassemble a region of memory and provide labels and data sections. I reverse engineered the Frogger using this. You need to define the Data Areas, then select the block to disassemble in the disassembler window and right-click, Disassemble.

redbox

Quote from: Executioner on 13:06, 16 September 10
WinAPE can disassemble a region of memory and provide labels and data sections. I reverse engineered the Frogger using this. You need to define the Data Areas, then select the block to disassemble in the disassembler window and right-click, Disassemble.

I've just discovered this feature in WinAPE and must say it's fricking awesome  :)

betpet

#19
Oooh, how how how! :)

I'm afraid you'll have to tell me like I'm as stupid as I sound ;)
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

redbox

Quote from: betpet on 10:24, 23 September 10
Oooh, how how how! :)

In WinAPE, press the 'Pause' button to open the Debugger.  Select the area of memory you want to disassemble:

Click on the start address once
Then hold shift and click on the end address

The selected area will now be shaded light blue.  Now right click anywhere in the area and choose 'Disassemble', leave the default 'Output to New Assembler Tab' and press 'OK'.

Now go back to the main WinAPE window and click the 'Assembler' icon and you'll see the code in there all nicely formatted with tags etc.  When you work out what a routine does, you can change the tag name and effectively reverse engineer the program.


betpet

Awesome!  I have a lot of work ahead of me but this should speed things up.  Thanks! :D
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

redbox

Quote from: betpet on 12:19, 29 September 10
Awesome!  I have a lot of work ahead of me but this should speed things up.  Thanks! :D

If you find any interesting routines in there, I'd definitely like to hear about them.

betpet

Will do.  Don't expect anything particularly quick, I'm still new to all this Z80 stuff. :)
Old Amstrad CPC 6128 owner. New Amstrad CPC 464 and 6128 owner. Getting back the love!

dragon

Quote from: arnoldemu on 09:31, 03 September 10
Are you working on a remake, or are you working on a scenario editor for the cpc version?

I am thinking that when the scenario is loaded it will also bring in some code, some specific to the scenario itself and some general (possibly for sprite drawing etc).

UP!(why not :) ). Yes is true, scenario file have the sprites, the map, lists of arms, texts, and the colours of the game.

I found for now:

The map is a matrix of  27x42 bytes. From the left corner to the right line a line. The hex number  in the byte tell what are in the map, a wall a tree etc... 1byte=1 square ot the cursor.

It go from &845f to 93fe. Is equal for the seven scenary.
from there,it have a dictionary estyle key ascci code intermediate to found the direction of the sprites, that are all located next to this probably 953f to &bfff. it can be found exactly make a breakpoint in &06F3, HL stores the direction of the sprite to be printed in screen.

Down to &845f-6367 they have misterius stuff, but &63CD-63EA  have the guns list for player 1 1 bye= 1 gun FF desactivated, other number is the price of the gun in hex.

&63EB,stores de gun list for player 2 same method as the other list..

&6442-6445,stores your initial money for each level.


The table between &63B8-63&cb is a mistery. activated the first four  make one soldier dissapear of the list,but  i can't add more activated the other :D.

03EE call &03BD controls the colors of the scenary :)


Powered by SMFPacks Menu Editor Mod