Content for everyone
Technical stuff
Links
|
How to disassemble Imagination Pilots 16-bit games?(Blown Away, Panic in the Park, Waldo Circus) First, you need to strip the Watcom Extender which is in front of the actual 32 bit game code. Search for "MQ" and copy from there on. The file starting with "MQ" is the actual 32-bit executable in the Pharlap "REX" format. This REX file begins with some relocation stuff, and then comes the REAL code. Copy this code into a BIN file. You can now disassemble this BIN file, and read it using IDA. Here are some offsets: Blown Away Retail (EXE): REX starts at D990 Code starts at D990 + B820 = 191B0 See my IDA 5 Pro database with some annotations (as ASM file) Blown Away Preview Edition (EXE): REX starts at D9B8 Code starts at D9B8 + CB60 = 1A518 Blown Away NimGame Demo (EXE): REX starts at D9B8 Code starts at D9B8 + C1B0 = 19B68 Panic in the Park Retail (EXE): REX starts at C1D8 Code starts at C1D8 + 11C90 = 1DE68 Waldo in the Circus, English (EXE): REX starts at AD98 Code starts at AD98 + 2B590 = 36328 Waldo in the Circus, French (EXE): REX starts at E000 Code starts at E000 + 2B0C0 = 390C0 I add a few thousand additional null bytes at the end, so that Xref's can be handled with IDA Using OpenWatcom's wdump, you can dump the header of the REX file. You will see the initial EIP (for Blown Away Retail : 20238h) which you can use to start the auto-analysis of IDA. It seems like the original game was built with Watcom 10.0a. In my Blown Away patch I did a re-bind (wbind.exe) to bind the REX code to the PharLap extender, and it worked. The resulting file is a bit different, but that might be because of the resource section. Re-binding the REX code with Watcom 8.5, 10.5, 10.6, 11.x will just result in a bluescreen. Attention in regards to patching: The fixed addresses may not be moved, because the extender changes the assembly on-the-fly, updating the addresses according to the relocation table. So, if the address reference is then somewhere else due to changed assembly code, the game will crash Example; This patch is OK: xor eax,eax --> nop --> nop mov ebx,0x1234567 --> mov ebx,0x1234567 (stays) This patch is NOT OK and will crash the game: xor eax,eax --> mov ebx,0x1234567 (did move!) mov ebx,0x1234567 --> xor eax,eax |
Please also see my pages for other Imagination Pilots games: Blown Away | Panic in the Park | Waldo at the Circus | Waldo Exploring Geography | Eraser Turnabout | Virtual K'Nex |