Hacking a DOS 32 bit protected mode game from 1997
It's been a long time since I've looked at X86 assembly, and I thought it might be fun to reverse engineer a game I enjoyed playing when I was much younger - US Navy Fighters.
Hacking tools
IDA (Interactive Dissassembler) - download IDA 8.3 from https://hex-rays.com/ida-free/ (free for personal use). I'm using the linux version. To install chmod +xx the installer and accept the license agreement. Choose the install location, I chose idafree-8.3 in my home folder.
chmod +x idafree83_linux.run ./idafree-8.3/ida64
Debugger - USNF is a DOS game and won't run on linux natively, however it runs perfectly fine through DOS-Box. The good news is DOS-Box is available as a special debug build, with an integrated debugger. This allows us to set breakpoints, peek at memory locations, etc, and should very helpful in analysing the game. To get the debug build we'll need to build DOS-Box from source. Download the source code from https://www.dosbox.com. There is some information on the build process on VOGONS.
Download the file: dosbox-0.74-3.tar.gz, and run the build. Install autotools if it's missing. Also, note the SDL 1.2 and curses dependencies:
sudo apt install autoconf autotools-dev automake sudo apt install libsdl1.2-dev libncurses-dev tar xvf dosbox-0.74-3.tar.gz cd dosbox-0.74-3/ ./autogen.sh ./configure --enable-debug=heavy make sudo make install
By default, the binary is installed into /usr/local/bin. I renamed my binary to dosbox-debug to distinguish it from the standard version:
sudo mv /usr/local/bin/dosbox /usr/local/bin/dosbox-debug
Installation Media
The game is shipped on a CDROM. Let's create an ISO of the installation media, mount it in DOSBox and run the installer.
Make sure the cdrom is not mounted when running dd:
sudo umount /dev/cdrom dd if=/dev/cdrom of=usnf20231104.iso
We can mount the ISO and examine the contents:
sudo mount -t iso9660 -o loop usnf20231104.iso /mnt/cdrom ls -l /mnt/cdrom
-r-xr-xr-x 1 root root 5803420 Oct 19 1994 1.LIB -r-xr-xr-x 1 root root 1769255 Oct 19 1994 2.LIB -r-xr-xr-x 1 root root 847749 Oct 19 1994 3.LIB -r-xr-xr-x 1 root root 128084 Oct 19 1994 5.LIB -r-xr-xr-x 1 root root 1168829 Oct 19 1994 6.LIB -r-xr-xr-x 1 root root 160640711 Oct 7 1994 7.LIB -r-xr-xr-x 1 root root 52 Jan 29 1997 AUTORUN.INF -r-xr-xr-x 1 root root 20 Sep 28 1996 CDROM.DAT dr-xr-xr-x 1 root root 2048 Feb 4 1997 Docs dr-xr-xr-x 1 root root 2048 Feb 4 1997 Gateway -r-xr-xr-x 1 root root 22539367 Oct 19 1994 INSTALL.EXE dr-xr-xr-x 1 root root 2048 Feb 4 1997 Manual -r-xr-xr-x 1 root root 13376 Jan 8 1997 MIDPAK.COM dr-xr-xr-x 1 root root 2048 Feb 4 1997 Patch -r-xr-xr-x 1 root root 3151 Feb 4 1997 patchme.txt -r-xr-xr-x 1 root root 20143 Jan 31 1997 Read.me -r-xr-xr-x 1 root root 5536 Jan 8 1997 SOUNDRV.COM dr-xr-xr-x 1 root root 2048 Feb 4 1997 THSTMSTR dr-xr-xr-x 1 root root 2048 Feb 4 1997 UNIVBE -r-xr-xr-x 1 root root 74412 Sep 2 1994 UNIVBE.EXE -r-xr-xr-x 1 root root 1043268 Oct 19 1994 USNF.EXE -r-xr-xr-x 1 root root 766 Aug 10 1995 Usnf.ico
Here's a summary of the most interesting files:
| *.LIB | Game assets |
| CDROM.DAT | Contains the text "This is the CDROM." |
| Docs | Contains an installer for some documentation |
| Gateway | Appears to be a loader that auto-runs when the CDROM is inserted |
| INSTALL.EXE | Application installer |
| Manual | Contains another installer for more documentation |
| Patch | Updates the application to v1.1 (minor improvements and bugfixes) |
| Read.me | Details about system requirements, getting the best performance from your system, and intructions on how to play the game |
| THSTMSTR | Support for Thrustmaster input devices |
| UNIVBE | Universal VESA VBE (video BIOS extensions) - for SuperVGA support (game loads this if a VESA driver is not found) |
| USNF.EXE | Main application executable |
It's interesting to note that the installer and lib files have timestamps of October 1994, while the documentation, patches and utilities are mostly dated February 1997.
Installing the game
Let's create a dosbox-games directory and a dosbox config file specifically for debugging. We just need to set cpu core to normal and mount the directory as C drive:
usnf-dosbox-0.74.conf
[cpu] core=normal [autoexec] mount c ~/dosbox-games mount d /mnt/cdrom -t cdrom -usedcd 0 -ioctl
Run dosbox-debug, passing in the config file:
dosbox-debug -conf usnf-dosbox-0.74.conf
Note our empty games directory is mounted as drive C and the installation media is mounted as drive D.
Change to D: drive and run install.exe, a full install with the default options is fine.
Once done, exit the installation program and you'll be dropped into the game directory. Let's take a look at the contents:
ls -l dosbox-games/USNF/ -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:16 '$UKR1.T2' -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:15 '$UKR2.T2' -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:15 '$UKR3.T2' -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:15 '$UKR4.T2' -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:15 '$UKR5.T2' -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:16 '$UKR6.T2' -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:15 '$UKR7.T2' -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:16 '$UKR8.T2' -rw-r--r-- 1 sylvester sylvester 5803420 Nov 4 17:18 1.LIB -rw-r--r-- 1 sylvester sylvester 1769255 Nov 4 17:18 2.LIB -rw-r--r-- 1 sylvester sylvester 847749 Nov 4 17:18 3.LIB -rw-r--r-- 1 sylvester sylvester 8704 Nov 4 17:15 40.2D -rw-r--r-- 1 sylvester sylvester 8704 Nov 4 17:15 41.2D -rw-r--r-- 1 sylvester sylvester 3600888 Nov 4 17:16 4.LIB -rw-r--r-- 1 sylvester sylvester 12800 Nov 4 17:15 50.2D -rw-r--r-- 1 sylvester sylvester 12800 Nov 4 17:15 51.2D -rw-r--r-- 1 sylvester sylvester 12800 Nov 4 17:15 5.2D -rw-r--r-- 1 sylvester sylvester 128084 Nov 4 17:18 5.LIB -rw-r--r-- 1 sylvester sylvester 1168829 Nov 4 17:18 6.LIB -rw-r--r-- 1 sylvester sylvester 12800 Nov 4 17:15 70.2D -rw-r--r-- 1 sylvester sylvester 16896 Nov 4 17:15 90.2D -rw-r--r-- 1 sylvester sylvester 52 Nov 4 17:16 MREAL.XXX -rw-r--r-- 1 sylvester sylvester 21899 Nov 4 17:16 READ.ME drwx------ 2 sylvester sylvester 4096 Nov 4 17:18 THSTMSTR -rw-r--r-- 1 sylvester sylvester 52 Nov 4 17:16 TIMEINT.XXX -rw-r--r-- 1 sylvester sylvester 132668 Nov 4 17:15 UKR.T2 drwx------ 2 sylvester sylvester 4096 Nov 4 17:18 UNIVBE -rw-r--r-- 1 sylvester sylvester 74412 Nov 4 17:18 UNIVBE.EXE -rw-r--r-- 1 sylvester sylvester 1043268 Nov 4 17:15 USNF.EXE -rw-r--r-- 1 sylvester sylvester 48359 Nov 4 17:15 USNF.SYM
The contents are similar to the installation CDROM, with a few additions:
- Eight T2 files named $UKRn.T2, where n is a number
- Another T2 file, named UKR.T2
- Seven files with a .2D extension
- MREAL.XXX and TIMEINT.XXX
- USNF.SYM, very interesting!!
We'll look more closely at this in future articles, but for now lets backup the USNF directory and install the v1.1 patch.
cp -r dosbox-games/USNF/ dosbox-games/USNF.ORG/
The instructions in patchme.txt on the cdrom say to copy the 2 files from the Patch directory into the USNF installation directory and run the patchme.bat file. Let's look at the contents of patchme.bat:
@echo off usnf11 -o patch echo You're all done! Type USNF to play the game.
Run the patch from dosbox:
dosbox-debug -conf usnf-dosbox-0.74.conf
Z:\>C: C:\>cd USNF C:\USNF>copy D:\PATCH PATCHME.BAT USNF11.EXE 2 File(s) copied. C:\USNF>patchme
Comparing with the original version, the following files were updated:
- 1.LIB
- 2.LIB
- 3.LIB
- 40.2D
- 41.2D
- 4.LIB
- 50.2D
- 51.2D
- 5.2D
- 5.LIB
- 6.LIB
- 70.2D
- 90.2D
- READ.ME
- USNF.EXE
- USNF.SYM
The following new files were created:
- 42.2D
- BRIEFING.TXT
- EXAMPLE.MT
Now that the game is installed, we are ready to start hacking!
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded