Serenia 는 1982년 만들어진 어드벤쳐 게임입니다.
이때 어드벤쳐 게임은 상당수 텍스트인데 간단하지만 그림도 나오는 어드벤쳐 게임입니다.
IBM 버전이 만들어 졌을 때 아직 MS-DOS(IBM에서는 PC-DOS)가 완전히 시장을 차지 않았을테고 도스 게임 중에는 도스(!)를 직접 탑재한 게임도 있었습니다.
이 게임도 자체 부팅 기능이 있습니다.
부트 이미지네요.
일반적인 부트 이미지는 아닙니다.
FAT 영역입니다.
ROOT 입니다.
여러 파일이 보이네요. 어셈블리로 게임 만들었을까요 ?
보통 DOSBox에서는 이런 디스크 이미지는 별도 방법으로 실행해야 합니다.
하지만 제가 구한 게임 버전은 그냥 SERENIA.COM만 실행하면 됩니다.
원리가 어떻게 될까요 ?
한번 분석해 봤습니다.
(전부다 본건 아니고 기본 구조만 파악했습니다.)
게임은 GAME.DAT, 저장은 SAVE.DAT로 이뤄지며 게임에서 INT 83h를 통해 기본 입출력 하는 걸로 보이는데 이걸 디스크 이미지 위치에 맞게 처리해주는 역할을 합니다.
;******************************************************************
;
; DOS Driver for [Adventure in Serenia] disk image
;
; - written by Mok <mokmok@usa.net>
; - analyzed by M-Stoned <mstoned7@gmail.com>
;
;******************************************************************
; COM file
; Entry point = 0x100
0C38:0100 8CC8 MOV AX,CS
0C38:0102 BBF002 MOV BX,02F0 ;
0C38:0105 C1EB04 SHR BX,4 ; 2F0 / 16 (2^4) = 2F
0C38:0108 03C3 ADD AX,BX ; CS + 2F
0C38:010A 3D0020 CMP AX,2000 ; check memory
0C38:010D 760A JBE 0119 ;
0C38:010F BA6302 MOV DX,0263 ; Sorry, the DOS memory required by the game is not free.$'
0C38:0112 B409 MOV AH,09
0C38:0114 CD21 INT 21
0C38:0116 E92A01 JMP 0243
0C38:0119 B80020 MOV AX,2000
0C38:011C A34802 MOV [0248],AX
0C38:011F BA5302 MOV DX,0253 ; SAVE.DAT
0C38:0122 B8023D MOV AX,3D02 ; open SAVE.DAT
0C38:0125 CD21 INT 21
0C38:0127 7303 JNB 012C
0C38:0129 E91701 JMP 0243
0C38:012C A36102 MOV [0261],AX ; Handle 1
0C38:012F BA4A02 MOV DX,024A ; GAME.DAT
0C38:0132 B8003D MOV AX,3D00
0C38:0135 CD21 INT 21
0C38:0137 7303 JNB 013C
0C38:0139 E90701 JMP 0243
0C38:013C A35D02 MOV [025D],AX ; Handle2 : GAME.DAT
0C38:013F A35F02 MOV [025F],AX ; Handle2 : GAME.DAT
0C38:0142 8BD8 MOV BX,AX
0C38:0144 8E1E4802 MOV DS,[0248] ; DS = [2000]
0C38:0148 BA007C MOV DX,7C00 ; 2000:7C00
0C38:014B B90002 MOV CX,0200 ; 512 bytes
0C38:014E B43F MOV AH,3F ; read Boot record from Disk Image
0C38:0150 CD21 INT 21
0C38:0152 0E PUSH CS
0C38:0153 1F POP DS
0C38:0154 B88335 MOV AX,3583 ; Get Original Int 83h
0C38:0157 CD21 INT 21
0C38:0159 891E7101 MOV [0171],BX ; save original Int 83h Address
0C38:015D 8C067301 MOV [0173],ES ;
0C38:0161 B88325 MOV AX,2583 ; Hook Int 83h
0C38:0164 BA7501 MOV DX,0175
0C38:0167 CD21 INT 21
0C38:0169 FF364802 PUSH [0248]
0C38:016D 68007C PUSH 7C00
0C38:0170 CB RETF ; JMP 2000:7C00 --> reboot from disk image
0C38:0171 0000 ADD [BX+SI],AL ; Original Int 83h
0C38:0173 0000 ADD [BX+SI],AL ; Original Int 83h
;*******************************************************************
; New Int 83h
;*******************************************************************
0C38:0175 FB STI
0C38:0176 84E4 TEST AH,AH ;
0C38:0178 7418 JZ 0192
0C38:017A 80FC02 CMP AH,02 ; read ?
0C38:017D 7436 JZ 01B5
0C38:017F 80FC03 CMP AH,03 ; write ?
0C38:0182 7503 JNZ 0187
0C38:0184 E98200 JMP 0209
0C38:0187 80FCAA CMP AH,AA ; ??
0C38:018A 7409 JZ 0195
0C38:018C 80FCBB CMP AH,BB ; ??
0C38:018F 7414 JZ 01A5
0C38:0191 F9 STC
0C38:0192 CA0200 RETF 0002 ;
; for AA function
; disk changing ?
0C38:0195 2E CS:
0C38:0196 A16102 MOV AX,[0261] ; Handle1 : SAVE.DAT
0C38:0199 2E CS:
0C38:019A A35D02 MOV [025D],AX ; Handle2 : GAME.DAT
0C38:019D 2E CS:
0C38:019E C6065C0201 MOV BYTE PTR [025C],01 ;
0C38:01A3 EBED JMP 0192
; for BB function
; ???????????????
0C38:01A5 2E CS:
0C38:01A6 A15F02 MOV AX,[025F] ; Handle2 : GAME.DAT
0C38:01A9 2E CS:
0C38:01AA A35D02 MOV [025D],AX ; Handle2 : GAME.DAT
0C38:01AD 2E CS:
0C38:01AE C6065C0200 MOV BYTE PTR [025C],00
0C38:01B3 EBDD JMP 0192
; for 2 function
0C38:01B5 60 PUSHA
0C38:01B6 1E PUSH DS
0C38:01B7 06 PUSH ES
0C38:01B8 1F POP DS
0C38:01B9 2E CS:
0C38:01BA 803E5C0201 CMP BYTE PTR [025C],01 ; SAVE.DAT
0C38:01BF 7412 JZ 01D3
0C38:01C1 80FD01 CMP CH,01 ; track 01 ?
0C38:01C4 720D JB 01D3
0C38:01C6 80FD0A CMP CH,0A ; track 0A ?
0C38:01C9 7708 JA 01D3
0C38:01CB FEC9 DEC CL ; caculate disk address
0C38:01CD 02C9 ADD CL,CL
0C38:01CF 02C0 ADD AL,AL
0C38:01D1 FEC1 INC CL ;
0C38:01D3 50 PUSH AX
0C38:01D4 53 PUSH BX
0C38:01D5 8AC5 MOV AL,CH
0C38:01D7 B408 MOV AH,08
0C38:01D9 F6E4 MUL AH ; * 8
0C38:01DB 32ED XOR CH,CH ; CH = 0
0C38:01DD 8BD8 MOV BX,AX ;
0C38:01DF FEC9 DEC CL ;
0C38:01E1 03D9 ADD BX,CX
0C38:01E3 B80002 MOV AX,0200 ;
0C38:01E6 F7E3 MUL BX ; * 200 (disk sector size)
0C38:01E8 8BCA MOV CX,DX
0C38:01EA 8BD0 MOV DX,AX
0C38:01EC 2E CS:
0C38:01ED 8B1E5D02 MOV BX,[025D] ; Handle2 : GAME.DAT
0C38:01F1 B80042 MOV AX,4200 ; read disk image
0C38:01F4 CD21 INT 21
0C38:01F6 5A POP DX
0C38:01F7 59 POP CX
0C38:01F8 32ED XOR CH,CH
0C38:01FA C1E109 SHL CX,9
0C38:01FD B43F MOV AH,3F ; read data from file
0C38:01FF CD21 INT 21
0C38:0201 1F POP DS
0C38:0202 61 DB 61
0C38:0203 32E4 XOR AH,AH
0C38:0205 F8 CLC
0C38:0206 CA0200 RETF 0002
;
; for 03 function
;
0C38:0209 60 PUSHA
0C38:020A 1E PUSH DS
0C38:020B 06 PUSH ES
0C38:020C 1F POP DS
0C38:020D 50 PUSH AX
0C38:020E 53 PUSH BX
0C38:020F 8AC5 MOV AL,CH
0C38:0211 B408 MOV AH,08
0C38:0213 F6E4 MUL AH
0C38:0215 32ED XOR CH,CH
0C38:0217 8BD8 MOV BX,AX
0C38:0219 FEC9 DEC CL
0C38:021B 03D9 ADD BX,CX
0C38:021D B80002 MOV AX,0200
0C38:0220 F7E3 MUL BX
0C38:0222 8BCA MOV CX,DX
0C38:0224 8BD0 MOV DX,AX
0C38:0226 2E CS:
0C38:0227 8B1E6102 MOV BX,[0261] ; Handle1 : SAVE.DAT
0C38:022B B80042 MOV AX,4200
0C38:022E CD21 INT 21
0C38:0230 5A POP DX
0C38:0231 59 POP CX
0C38:0232 32ED XOR CH,CH
0C38:0234 C1 DB C1
0C38:0235 E109 LOOPZ 0240
0C38:0237 B440 MOV AH,40 ; Write
0C38:0239 CD21 INT 21
0C38:023B 1F POP DS
0C38:023C 61 DB 61
0C38:023D 32E4 XOR AH,AH
0C38:023F F8 CLC
0C38:0240 CA0200 RETF 0002
0C38:0243 B8014C MOV AX,4C01 ; Terminate program
0C38:0246 CD21 INT 21
0C38:0248 0000 ADD [BX+SI],AL
0C38:024A 47 db 'GAME.DAT'
0253 53 db 'SAVE.DAT'
0C38:025C 00 check ???? ;
0C38:025D 0000 Handle2 : GAME.DAT
0C38:025F 0000 Handle2 : GAME.DAT
0C38:0261 0000 Handle1 : SAVE.DAT
0C38:0263 53 db 'Sorry, the DOS memory required by the game is not free.$'
029B 0D0A4164 db 'Adventure in Serenia by Sierra/IBM. Dos driver by Mok <mokmok@usa.net>'
0C38:0100 8C C8 BB F0 02 C1 EB 04-03 C3 3D 00 20 76 0A BA ..........=. v..
0C38:0110 63 02 B4 09 CD 21 E9 2A-01 B8 00 20 A3 48 02 BA c....!.*... .H..
0C38:0120 53 02 B8 02 3D CD 21 73-03 E9 17 01 A3 61 02 BA S...=.!s.....a..
0C38:0130 4A 02 B8 00 3D CD 21 73-03 E9 07 01 A3 5D 02 A3 J...=.!s.....]..
0C38:0140 5F 02 8B D8 8E 1E 48 02-BA 00 7C B9 00 02 B4 3F _.....H...|....?
0C38:0150 CD 21 0E 1F B8 83 35 CD-21 89 1E 71 01 8C 06 73 .!....5.!..q...s
0C38:0160 01 B8 83 25 BA 75 01 CD-21 FF 36 48 02 68 00 7C ...%.u..!.6H.h.|
0C38:0170 CB 00 00 00 00 FB 84 E4-74 18 80 FC 02 74 36 80 ........t....t6.
0C38:0180 FC 03 75 03 E9 82 00 80-FC AA 74 09 80 FC BB 74 ..u.......t....t
0C38:0190 14 F9 CA 02 00 2E A1 61-02 2E A3 5D 02 2E C6 06 .......a...]....
0C38:01A0 5C 02 01 EB ED 2E A1 5F-02 2E A3 5D 02 2E C6 06 \......_...]....
0C38:01B0 5C 02 00 EB DD 60 1E 06-1F 2E 80 3E 5C 02 01 74 \....`.....>\..t
0C38:01C0 12 80 FD 01 72 0D 80 FD-0A 77 08 FE C9 02 C9 02 ....r....w......
0C38:01D0 C0 FE C1 50 53 8A C5 B4-08 F6 E4 32 ED 8B D8 FE ...PS......2....
0C38:01E0 C9 03 D9 B8 00 02 F7 E3-8B CA 8B D0 2E 8B 1E 5D ...............]
0C38:01F0 02 B8 00 42 CD 21 5A 59-32 ED C1 E1 09 B4 3F CD ...B.!ZY2.....?.
0C38:0200 21 1F 61 32 E4 F8 CA 02-00 60 1E 06 1F 50 53 8A !.a2.....`...PS.
0C38:0210 C5 B4 08 F6 E4 32 ED 8B-D8 FE C9 03 D9 B8 00 02 .....2..........
0C38:0220 F7 E3 8B CA 8B D0 2E 8B-1E 61 02 B8 00 42 CD 21 .........a...B.!
0C38:0230 5A 59 32 ED C1 E1 09 B4-40 CD 21 1F 61 32 E4 F8 ZY2.....@.!.a2..
0C38:0240 CA 02 00 B8 01 4C CD 21-00 00 47 41 4D 45 2E 44 .....L.!..GAME.D
0C38:0250 41 54 00 53 41 56 45 2E-44 41 54 00 00 00 00 00 AT.SAVE.DAT.....
0C38:0260 00 00 00 53 6F 72 72 79-2C 20 74 68 65 20 44 4F ...Sorry, the DO
0C38:0270 53 20 6D 65 6D 6F 72 79-20 72 65 71 75 69 72 65 S memory require
0C38:0280 64 20 62 79 20 74 68 65-20 67 61 6D 65 20 69 73 d by the game is
0C38:0290 20 6E 6F 74 20 66 72 65-65 2E 24 0D 0A 41 64 76 not free.$..Adv
0C38:02A0 65 6E 74 75 72 65 20 69-6E 20 53 65 72 65 6E 69 enture in Sereni
0C38:02B0 61 20 62 79 20 53 69 65-72 72 61 2F 49 42 4D 2E a by Sierra/IBM.
0C38:02C0 20 44 6F 73 20 64 72 69-76 65 72 20 62 79 20 4D Dos driver by M
0C38:02D0 6F 6B 20 3C 6D 6F 6B 6D-6F 6B 40 75 73 61 2E 6E ok <mokmok@usa.n
0C38:02E0 65 74 3E 2E 00 77 04 2C-30 F8 C3 F9 C3 50 53 52 et>..w.,0....PSR
0C38:02F0 57 26 8B 7F 06 26 8A 05-0A C0 75 04 B4 FF EB 4C W&...&....u....L
------
예전에 본 건데 이제 올립니다.
오랫만에 DEBUG으로 도스 코드를 봅아봤네요.
요즘은 윈도우하고 OS X 파일만 보다보니...
옛날 생각나네요.
'Reverse Engineering' 카테고리의 다른 글
| 디버깅 할 때 불편한 ASLR 기능(임의 BASE 주소) 끄기 (0) | 2022.04.22 |
|---|---|
| 리버스 엔지니어링 참고자료 (0) | 2008.07.17 |
| F-Secure 주최 리버스 엔지니어링 대회 (0) | 2007.08.03 |
| 리버스 엔지니어링 (ReverseEngineering) 관련 사이트 (0) | 2007.05.12 |