Skip to content

Hacking a DOS 32 bit protected mode game from 1997

It's been a long time since I've looked at X86 assembly, and I thought it might be fun to reverse engineer a game I enjoyed playing when I was much younger - US Navy Fighters.

Hacking tools

IDA (Interactive Dissassembler) - download IDA 8.3 from https://hex-rays.com/ida-free/ (free for personal use). I'm using the linux version. To install chmod +xx the installer and accept the license agreement. Choose the install location, I chose idafree-8.3 in my home folder.

chmod +x idafree83_linux.run
./idafree-8.3/ida64

Debugger - USNF is a DOS game and won't run on linux natively, however it runs perfectly fine through DOS-Box. The good news is DOS-Box is available as a special debug build, with an integrated debugger. This allows us to set breakpoints, peek at memory locations, etc, and should very helpful in analysing the game. To get the debug build we'll need to build DOS-Box from source. Download the source code from https://www.dosbox.com. There is some information on the build process on VOGONS.

Download the file: dosbox-0.74-3.tar.gz, and run the build. Install autotools if it's missing. Also, note the SDL 1.2 and curses dependencies:

sudo apt install autoconf autotools-dev automake
sudo apt install libsdl1.2-dev libncurses-dev
tar xvf dosbox-0.74-3.tar.gz
cd dosbox-0.74-3/
./autogen.sh
./configure --enable-debug=heavy
make
sudo make install

By default, the binary is installed into /usr/local/bin. I renamed my binary to dosbox-debug to distinguish it from the standard version:

sudo mv /usr/local/bin/dosbox /usr/local/bin/dosbox-debug

Installation Media

The game is shipped on a CDROM. Let's create an ISO of the installation media, mount it in DOSBox and run the installer.

Make sure the cdrom is not mounted when running dd:

sudo umount /dev/cdrom
dd if=/dev/cdrom of=usnf20231104.iso

We can mount the ISO and examine the contents:

sudo mount -t iso9660 -o loop usnf20231104.iso /mnt/cdrom
ls -l /mnt/cdrom
-r-xr-xr-x 1 root root   5803420 Oct 19  1994 1.LIB
-r-xr-xr-x 1 root root   1769255 Oct 19  1994 2.LIB
-r-xr-xr-x 1 root root    847749 Oct 19  1994 3.LIB
-r-xr-xr-x 1 root root    128084 Oct 19  1994 5.LIB
-r-xr-xr-x 1 root root   1168829 Oct 19  1994 6.LIB
-r-xr-xr-x 1 root root 160640711 Oct  7  1994 7.LIB
-r-xr-xr-x 1 root root        52 Jan 29  1997 AUTORUN.INF
-r-xr-xr-x 1 root root        20 Sep 28  1996 CDROM.DAT
dr-xr-xr-x 1 root root      2048 Feb  4  1997 Docs
dr-xr-xr-x 1 root root      2048 Feb  4  1997 Gateway
-r-xr-xr-x 1 root root  22539367 Oct 19  1994 INSTALL.EXE
dr-xr-xr-x 1 root root      2048 Feb  4  1997 Manual
-r-xr-xr-x 1 root root     13376 Jan  8  1997 MIDPAK.COM
dr-xr-xr-x 1 root root      2048 Feb  4  1997 Patch
-r-xr-xr-x 1 root root      3151 Feb  4  1997 patchme.txt
-r-xr-xr-x 1 root root     20143 Jan 31  1997 Read.me
-r-xr-xr-x 1 root root      5536 Jan  8  1997 SOUNDRV.COM
dr-xr-xr-x 1 root root      2048 Feb  4  1997 THSTMSTR
dr-xr-xr-x 1 root root      2048 Feb  4  1997 UNIVBE
-r-xr-xr-x 1 root root     74412 Sep  2  1994 UNIVBE.EXE
-r-xr-xr-x 1 root root   1043268 Oct 19  1994 USNF.EXE
-r-xr-xr-x 1 root root       766 Aug 10  1995 Usnf.ico

Here's a summary of the most interesting files:

*.LIB Game assets
CDROM.DAT Contains the text "This is the CDROM."
Docs Contains an installer for some documentation
Gateway Appears to be a loader that auto-runs when the CDROM is inserted
INSTALL.EXE Application installer
Manual Contains another installer for more documentation
Patch Updates the application to v1.1 (minor improvements and bugfixes)
Read.me Details about system requirements, getting the best performance from your system, and intructions on how to play the game
THSTMSTR Support for Thrustmaster input devices
UNIVBE Universal VESA VBE (video BIOS extensions) - for SuperVGA support (game loads this if a VESA driver is not found)
USNF.EXE Main application executable

It's interesting to note that the installer and lib files have timestamps of October 1994, while the documentation, patches and utilities are mostly dated February 1997.

Installing the game

Let's create a dosbox-games directory and a dosbox config file specifically for debugging. We just need to set cpu core to normal and mount the directory as C drive:

usnf-dosbox-0.74.conf

[cpu]
core=normal

[autoexec]
mount c ~/dosbox-games
mount d /mnt/cdrom -t cdrom -usedcd 0 -ioctl

Run dosbox-debug, passing in the config file:

dosbox-debug -conf usnf-dosbox-0.74.conf

Note our empty games directory is mounted as drive C and the installation media is mounted as drive D.

Change to D: drive and run install.exe, a full install with the default options is fine.

Once done, exit the installation program and you'll be dropped into the game directory. Let's take a look at the contents:

ls -l dosbox-games/USNF/

-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:16 '$UKR1.T2'
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:15 '$UKR2.T2'
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:15 '$UKR3.T2'
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:15 '$UKR4.T2'
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:15 '$UKR5.T2'
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:16 '$UKR6.T2'
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:15 '$UKR7.T2'
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:16 '$UKR8.T2'
-rw-r--r-- 1 sylvester sylvester 5803420 Nov  4 17:18  1.LIB
-rw-r--r-- 1 sylvester sylvester 1769255 Nov  4 17:18  2.LIB
-rw-r--r-- 1 sylvester sylvester  847749 Nov  4 17:18  3.LIB
-rw-r--r-- 1 sylvester sylvester    8704 Nov  4 17:15  40.2D
-rw-r--r-- 1 sylvester sylvester    8704 Nov  4 17:15  41.2D
-rw-r--r-- 1 sylvester sylvester 3600888 Nov  4 17:16  4.LIB
-rw-r--r-- 1 sylvester sylvester   12800 Nov  4 17:15  50.2D
-rw-r--r-- 1 sylvester sylvester   12800 Nov  4 17:15  51.2D
-rw-r--r-- 1 sylvester sylvester   12800 Nov  4 17:15  5.2D
-rw-r--r-- 1 sylvester sylvester  128084 Nov  4 17:18  5.LIB
-rw-r--r-- 1 sylvester sylvester 1168829 Nov  4 17:18  6.LIB
-rw-r--r-- 1 sylvester sylvester   12800 Nov  4 17:15  70.2D
-rw-r--r-- 1 sylvester sylvester   16896 Nov  4 17:15  90.2D
-rw-r--r-- 1 sylvester sylvester      52 Nov  4 17:16  MREAL.XXX
-rw-r--r-- 1 sylvester sylvester   21899 Nov  4 17:16  READ.ME
drwx------ 2 sylvester sylvester    4096 Nov  4 17:18  THSTMSTR
-rw-r--r-- 1 sylvester sylvester      52 Nov  4 17:16  TIMEINT.XXX
-rw-r--r-- 1 sylvester sylvester  132668 Nov  4 17:15  UKR.T2
drwx------ 2 sylvester sylvester    4096 Nov  4 17:18  UNIVBE
-rw-r--r-- 1 sylvester sylvester   74412 Nov  4 17:18  UNIVBE.EXE
-rw-r--r-- 1 sylvester sylvester 1043268 Nov  4 17:15  USNF.EXE
-rw-r--r-- 1 sylvester sylvester   48359 Nov  4 17:15  USNF.SYM

The contents are similar to the installation CDROM, with a few additions:

  • Eight T2 files named $UKRn.T2, where n is a number
  • Another T2 file, named UKR.T2
  • Seven files with a .2D extension
  • MREAL.XXX and TIMEINT.XXX
  • USNF.SYM, very interesting!!

We'll look more closely at this in future articles, but for now lets backup the USNF directory and install the v1.1 patch.

cp -r dosbox-games/USNF/ dosbox-games/USNF.ORG/

The instructions in patchme.txt on the cdrom say to copy the 2 files from the Patch directory into the USNF installation directory and run the patchme.bat file. Let's look at the contents of patchme.bat:

@echo off
usnf11 -o
patch
echo You're all done!  Type USNF to play the game.

Run the patch from dosbox:

dosbox-debug -conf usnf-dosbox-0.74.conf
Z:\>C:

C:\>cd USNF

C:\USNF>copy D:\PATCH
 PATCHME.BAT
 USNF11.EXE
   2 File(s) copied.

C:\USNF>patchme

Comparing with the original version, the following files were updated:

  • 1.LIB
  • 2.LIB
  • 3.LIB
  • 40.2D
  • 41.2D
  • 4.LIB
  • 50.2D
  • 51.2D
  • 5.2D
  • 5.LIB
  • 6.LIB
  • 70.2D
  • 90.2D
  • READ.ME
  • USNF.EXE
  • USNF.SYM

The following new files were created:

  • 42.2D
  • BRIEFING.TXT
  • EXAMPLE.MT

Now that the game is installed, we are ready to start hacking!

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5


Form options