Blown Away - The Interactive Game
Technical Analysis and Fan Page

Content for everyone

Technical stuff

Links

YouTube Videos

(German or English)

How to disassemble Imagination Pilots 16-bit games?

(Blown Away, Panic in the Park, Waldo Circus)

First, you need to strip the Watcom Extender which is in front of the actual 32 bit game code. Search for "MQ" and copy from there on. The file starting with "MQ" is the actual 32-bit executable in the Pharlap "REX" format.

This REX file begins with some relocation stuff, and then comes the REAL code.

Copy this code into a BIN file. You can now disassemble this BIN file, and read it using IDA.

Here are some offsets:

Blown Away Retail (EXE):
REX starts at D990
Code starts at D990 + B820 = 191B0
See my IDA 5 Pro database with some annotations (as ASM file)

Blown Away Preview Edition (EXE):
REX starts at D9B8
Code starts at D9B8 + CB60 = 1A518

Blown Away NimGame Demo (EXE):
REX starts at D9B8
Code starts at D9B8 + C1B0 = 19B68

Panic in the Park Retail (EXE):
REX starts at C1D8
Code starts at C1D8 + 11C90 = 1DE68

Waldo in the Circus, English (EXE):
REX starts at AD98
Code starts at AD98 + 2B590 = 36328

Waldo in the Circus, French (EXE):
REX starts at E000
Code starts at E000 + 2B0C0 = 390C0

I add a few thousand additional null bytes at the end, so that Xref's can be handled with IDA

Using OpenWatcom's wdump, you can dump the header of the REX file. You will see the initial EIP (for Blown Away Retail : 20238h) which you can use to start the auto-analysis of IDA.

It seems like the original game was built with Watcom 10.0a. In my Blown Away patch I did a re-bind (wbind.exe) to bind the REX code to the PharLap extender, and it worked. The resulting file is a bit different, but that might be because of the resource section. Re-binding the REX code with Watcom 8.5, 10.5, 10.6, 11.x will just result in a bluescreen.

Attention in regards to patching: The fixed addresses may not be moved, because the extender changes the assembly on-the-fly, updating the addresses according to the relocation table. So, if the address reference is then somewhere else due to changed assembly code, the game will crash

Example; This patch is OK:

	xor eax,eax		--> nop
				--> nop
	mov ebx,0x1234567	--> mov ebx,0x1234567 (stays)

This patch is NOT OK and will crash the game:

	xor eax,eax		--> mov ebx,0x1234567 (did move!)
	mov ebx,0x1234567	--> xor eax,eax

© 2024 Daniel Marschall - - www.daniel-marschall.de

Please also see my pages for other Imagination Pilots games:
Blown Away | Panic in the Park | Waldo at the Circus | Waldo Exploring Geography | Eraser Turnabout | Virtual K'Nex