How can I do reverse engineering to a game?

Discuss game modding
robert
5-bit member
Posts: 36
Joined: February 28th, 2012, 8:53 pm

How can I do reverse engineering to a game?

Post by robert »

Hi everyone!

I have some games that I wish they have a level editor, because they don't have it. Malvineous told me that I should reverse engineer them, but I don't know how to. If anyone can help me how to do reverse engineering to a DOS game I would apreciate it. The games are Aquanoid and Bumpy, these are just two of my oldest games. I name them just if anybody knows them and already has some idea of how to reverse engineer.

Do I have to use any specific program to reverse engineer? How hard is it for someone who knows nothing about it?

Ok, any help will be apreciated.
Malvineous
8-bit mega nerd
Posts: 292
Joined: March 17th, 2007, 6:40 pm
Location: Brisbane, Australia
Contact:

Re: How can I do reverse engineering to a game?

Post by Malvineous »

I've started a preliminary guide to reverse engineering on the ModdingWiki so maybe you could start reading that and tell me if anything is not explained clearly so I can fix it. Learning the type of reverse engineering skills required to make modding tools for DOS games is quite easy, it just takes some time to become familiar with things.

The only program you will need is a hex editor. I am using Linux and because I couldn't find any good hex editors I wrote my own, but if you use Windows there are some nice ones out there. It is best if you can find a hex editor that can display data in CP437 (the "font" that DOS uses in the US) as it can make reverse engineering certain types of data much easier, but this is not a requirement. Some people here can probably recommend some good hex editors for Windows or DOS.
User avatar
MrFlibble
Forum Administrator
Posts: 1798
Joined: December 9th, 2010, 7:19 am

Re: How can I do reverse engineering to a game?

Post by MrFlibble »

While being no expert in programming in general, I can tell that Segra, a Dune II enthusiast, did an excellent job reverse-engineering that game's executable using IDA Pro (some results can be seen here, and even more are scattered throughout the forum there if you're actually interested in the matter).

The OpenDUNE engine recreation project is also based on game code reverse engineering, however, I'm not sure what tools the guys used to do that.
Malvineous
8-bit mega nerd
Posts: 292
Joined: March 17th, 2007, 6:40 pm
Location: Brisbane, Australia
Contact:

Re: How can I do reverse engineering to a game?

Post by Malvineous »

Reverse engineering the code (usually called disassembling) is much harder, and you need to know a fair bit about programming in assembly language to be able to do it. It's usually not necessary for things like making level editors though (unless the game uses some weird encryption) so my guide will only focus on reverse engineering game data files - no code. For that, all you need is a hex editor.
robert
5-bit member
Posts: 36
Joined: February 28th, 2012, 8:53 pm

Re: How can I do reverse engineering to a game?

Post by robert »

Thanks Everyone! Good info.

If I open a file which I suppose it have information about the levels with the hex editor (I've already have one :D ), how can I know where I can edit something? I mean, I only see letters and numbers everywhere (ex: D3, A1, 09, etc). What should I put to change something?

BTW, what is exactly FAT?, How can I find it? Is this an extension of a file?

Another question: What happens if all the data is contained in the .exe file?
Malvineous
8-bit mega nerd
Posts: 292
Joined: March 17th, 2007, 6:40 pm
Location: Brisbane, Australia
Contact:

Re: How can I do reverse engineering to a game?

Post by Malvineous »

I've updated the guide with some answers to your questions - please let me know if they help or if more explanation is needed. There is a new section at the top which explains how the hex editor view works and what the numbers mean, some more info about FAT, and a new section about what you should edit to experiment with map files, with a few screenshots as examples.

If the data is inside the .exe file there is no difference - you just open the .exe file in your hex editor. You may need to decompress it first though, if you can't find any readable text inside it.
robert
5-bit member
Posts: 36
Joined: February 28th, 2012, 8:53 pm

Re: How can I do reverse engineering to a game?

Post by robert »

The information is very helpful. I know now what the numbers and letters mean, of course to me is still hard to understand the whole thing. By now I can make changes and see the results.

Guess what? I've found where the map levels are stored in Aquanoid (a breakout game). There is a file (data.aqa) which contains the map levels compressed, and I've made a few changes in it, saved it, then entered the game and saw some changes with the blocks (the ones you must destroy to pass a level). It was easy to see where I can edit, because the hex values and the text part are similar, except the whole map was represented with dots (.) in the text part. So I took some screenshots of the levels and opened the hex editor again. Then I compared them, and discovered which hex value represents a different block. I wrote the values and the block which represnt in a .txt file, so any time I want to edit the blocks I resort to it.

Of course it was quite easy to understand what a hex value represent in a map level. Other games are much harder, and one has all the data in the .exe file.

Anyway, thanks for you help, I'll try with other games.
Malvineous
8-bit mega nerd
Posts: 292
Joined: March 17th, 2007, 6:40 pm
Location: Brisbane, Australia
Contact:

Re: How can I do reverse engineering to a game?

Post by Malvineous »

Sounds good! Glad you were able to figure out a map format. If you can, please create some pages on the ModdingWiki to document your findings so that others can benefit, especially people like myself writing level editors :-)
User avatar
yellowantphil
4-bit nibble
Posts: 24
Joined: October 10th, 2011, 12:00 am
Location: Oklahoma
Contact:

Re: How can I do reverse engineering to a game?

Post by yellowantphil »

What about editing the game executable? What sort of things are possible?

Some disorganized musings on editing game executables:

Of course it’s simple enough to edit text strings, as long as the new text is not longer than the old text. What about making the text longer by creating a longer text string elsewhere in the executable, and changing any pointers to the string? I don’t know how I’d find the pointers, or whether it would work.

Today I had some partial success changing the maximum number of hedgehogs you can carry in Wacky Wheels. The byte alignment wasn’t what I had expected: if the first byte in the file is byte zero, it looks like the first byte of any integer falls on an odd byte.

Is it possible to convert the executable into assembly that I can run through GCC?

Is there any particular organization to a DOS executable file? It seems like if I change anything in the first half of WW.EXE, the game crashes, acts erratically, or won’t load. Changes in the second half of the file seem less dangerous, and that’s where I found a number that influences the maximum number of hedgehogs. Maybe it’s just Wacky Wheels that has “dangerous” and “less dangerous” halves of the file...
Malvineous
8-bit mega nerd
Posts: 292
Joined: March 17th, 2007, 6:40 pm
Location: Brisbane, Australia
Contact:

Re: How can I do reverse engineering to a game?

Post by Malvineous »

You can read up on the DOS .exe file format if you want to know more. The format is widely known and well documented, but relatively complex. Essentially it is divided up into sections. There is a section for code, typically placed near the start of the file, and one for data, typically placed at the end. This is why the second half is less dangerous to edit, as you're only changing variables. When you edit the first half of the file you're changing the code, and, to use a C analogy, one misplaced byte could change an "if" statement to a "goto" completely breaking the game's control flow.

This is all well beyond the scope of what I intend to cover in my guide, as I'm mostly interested in modding a game while working within the existing boundaries. I'm less interested in changing the game code as then it becomes a bit like a different game.

If you do want to investigate this, the aforementioned IDA Pro is definitely the way to go. It will disassemble the code back into assembly language which you can then examine to figure out how the code works. I successfully used this method to reverse engineer the freeware release of Bio Menace to find out how to activate the cheat codes, but that was a few days of working on it full-time. You can use the offsets provided (with a bit of calculation) to load up the .exe in a hex editor and make changes. I also used that to enable some of the disabled cheats (level warp, etc.) in Monster Bash, before realising there was a trainer which had already done the work for me.

I recommend asking over at the Keen:Modding forum as they seem to have completely reverse engineered the game code for Commander Keen and are producing copious patches, seemingly on request, for all sorts of gameplay changes. Whatever tools they're using seem to work spectacularly well.

As for GCC I agree it'd be great if you could just recompile the code, but unfortunately I don't think there's anything out there that can do this. It has been done before, but it's very much a slow, manual job. You'd also need one of the old DOS compilers (probably Watcom for DOS4GW) because I don't think the one version of GCC that can produce DOS executables creates particularly reliable ones.

With your other byte-alignment comment, it sounds like the first byte might be a length field (or a terminating null at the end of a C-style string), and that's why it has an effect on the alignment in the rest of the file.
User avatar
yellowantphil
4-bit nibble
Posts: 24
Joined: October 10th, 2011, 12:00 am
Location: Oklahoma
Contact:

Re: How can I do reverse engineering to a game?

Post by yellowantphil »

Apparently I was crazy to think that all integers in an executable would be aligned a certain way. I just know that integers in memory align to four bytes (or eight I imagine, for 64-bit), and I was expecting something similar in the exe file. But that isn't true for short programs I compile on Linux, and I suppose it isn't true for DOS executables either...

I think there are at least two values in ww.exe that determine the maximum number of hedgehogs, and I can't find the other one to save my life... oh well.

I'll read about the DOS exe format sometime. At the moment, I'd be content to know where the data section starts and stops, and maybe how to figure out where one variable starts and the next one stops.

Suddenly I wish that Apogee had complied Wacky Wheels with debug information built in. :ugeek: Not that I have a DOS debugger.
Malvineous
8-bit mega nerd
Posts: 292
Joined: March 17th, 2007, 6:40 pm
Location: Brisbane, Australia
Contact:

Re: How can I do reverse engineering to a game?

Post by Malvineous »

I think all Borland's old DOS stuff is freeware now so it's easy to get hold of a DOS debugger. DOSBox even has a rudimentary one built in. Linux has tools like objdump and objcopy that can dump data/code/whatever sections from ELF executables, so there might be a similar program that can handle DOS .exe files.

The problem is that a value like maximum hedgehogs could be anywhere - it could be a constant, so in the data section. Or it could be a variable initialised with a bunch of others, so not really visible until it's in memory. Or it could be buried in the code itself, like "if (hh > 99) hh = 99". Those could end up as things like "cmp ax, 99" which end up in the code segment. And, in this example, the value would have to be changed in two places to work correctly.

I guess if it were me, I'd start with DOSBox and see if I could step through loading a game. Since you know where the hedgehog count is stored in a saved game, you may be able to see where that gets stored in memory and if it gets altered to some maximum value on the way.

As to figuring out where variables start and stop that's not really possible in an automated way. Variables are just constructs ("make believe") in programming languages, in compiled code you just have a block of memory and you can write stuff wherever you want. The compiler chooses some locations more or less at random where it decides to store particular variables, and the only way you know where a variable is stored is by reading the disassembled code and figuring out what the code is doing when it accesses that memory location. Tools like IDA Pro can at least highlight which parts of the code access some memory locations, and you can name them once you figure out what's going on so they seem like variables again, but it's very laborious work. It is quite satisfying though when you finally figure what some part of the code is doing! But you spend a lot of time tearing your hair out wondering why some unrelated bit of code is calling your newly discovered function, until you eventually realise the newly discovered function doesn't actually do what you thought it did...
robert
5-bit member
Posts: 36
Joined: February 28th, 2012, 8:53 pm

Re: How can I do reverse engineering to a game?

Post by robert »

Do you remember I said I have found the way to edit Aquanoid levels?

Well I have a good news! I've already make 50 levels, in each one I edited the structure, the name of the level, and the difficulty word (simple, challenging, etc.), but I haven't edited the level's background yet.

I just wanted to say it :D, because I'm very pleased with my progress.

Maybe I would write something in the modding wiki, but I need to find how to edit more things about the levels, like the background. Editing the blocks and the level's name is very easy, in the hex editor they show the levels like a map.
User avatar
MrFlibble
Forum Administrator
Posts: 1798
Joined: December 9th, 2010, 7:19 am

Re: How can I do reverse engineering to a game?

Post by MrFlibble »

Cool! Glad to hear you're successful in figuring this out by yourself :) I know how good this can feel, so congrats! :D

On another note, I personally haven't played Aquanoid, maybe I'll check it out when I have time :)
Malvineous
8-bit mega nerd
Posts: 292
Joined: March 17th, 2007, 6:40 pm
Location: Brisbane, Australia
Contact:

Re: How can I do reverse engineering to a game?

Post by Malvineous »

Don't feel you need to wait until you discover more before you put it in the ModdingWiki either. Having any little bit of information is better than nothing at all. If nothing else, you might save someone else a little time because they don't have to re-do the work you did!
Post Reply