Archive for the ‘Games’ Category

« Older Entries

iPhone CRPG Review

Wednesday, January 13th, 2010

Well I’ve been busy over the last few weeks, searching the App Store for CRPG’s.

For me I’m looking for Role Playing Games on a Computer verses fantasy button masher version of Street Fighter, like Final Fantasy.

Thus I’m looking things like: Bards Tale, Dungeon Master, Ultima, Ultima Underworld, Might and Magic, AD&D Gold Box games, Baldur’s Gate, but not dungeon crawls of the Rouge-like types.

So the games I’ve found so far are:

Perilar

Now this was very early retro style game. First thoughts where the graphics were crazy old, but I read lots about the intention of the game, and it hits it’s design goals. Once you accept the graphic, you can get into the mechanics of the game, how combat works, the restrictions of one weapon and armor at a time, this all makes taking notes helpful to learn the system, while exploring an ever greater area of the game world.

While I enjoyed exploring the game mechanics, I’ll be honest, I played till I reach the levelling limit of the free version, and then felt no need to buy the full version, it was fun, but it was not what I was looking for. There was very limited side quests.

The Quest

This is much more closer to the mark of what I was trying to find. The game has a long history on PC and mobile devices, so this is really a port of the game to the iPhone platform. The game is very elaborate, and there is a lot that I enjoy, but a issue that grated for was the graphics. While they are claim to be buatiful hand draw pictures, and I assume they look good when seen at 100%, but they look really bad as they get scaled due to depth, movement. As the pictures are restricited to a 255 palette, they have the hard colour bands that come off really badly with the subpixel selection method they use, now if there where blended, and where more softened to being with I would have played more, but really it bugged me enough that I went looking for better.

I was going to return if no better was found.

Hero Of Sparta

This is a button masher, thus not what I’m looking for. It looks good, because it has too, it’s pretty lights and button mashing.

Next..

Undercroft

This game is fantastic, very reminiscent of the class of game that I’m searching for. The game mechanics are great, you have a team of four people, but most importantly, it looks good. As you can see in the above picture, their is classic out of place look about the wolves to the back ground, but both look good, so it does not break the immersion (wonder if it’s pre-rendered or just good blending).

I have been enjoying exploring the combat skills system, some very note worthly points are:

  • It has multiple save games, and auto save.
  • It’s turned based, so you have time to think, and plan your actions (no button mashing), but you can still do that by pressing the attack button as fast as you like, but you soon learn to slow done verse big monsters, to track health levels/damage etc.
  • I like that they have a auto generate party otpion, this allowed me to start playing with pages of help explaining how the different stats/classes/skills effect things. Now that I’ve got the game understood, I’m keen to play again with a custom party. What I’ll be keen to explore at that point is how well the game replays, or weather it will be 100% replay..

So I have found the type of game I was looking for. In fact, Undercroft is very much what I was thinking I would like ‘my game’ to be, so my hats off to Rake in Grass for this classy game. They even have little humour points like the One-Ring to rule them all in the magic shop for only 999K.

Update, 1 hour later: Just purchased the full game ($6.49 NZD) as I got to the end of the lite version. Very good price for a game that I’ve already spend a couple of hours playing..

Tags: ,
Posted in Games, Reviews | No Comments »

Curse of the Azure Bonds – build 1.0.21

Wednesday, November 4th, 2009

Build 1.0.21 has been released. Fixed in this version:

  • Issue 36, Fixed staff-sling weapon targeting
  • Issue 44, Fixed the modify player screen so edits to exceptional strength stay
  • Issue 45, Fixed the Order menu (found off Encamp, Alter), so you can select and place the party members
  • Issue 46, Fixed horizontal menu scroll via comma and dot keys

I also reworked how the combat engine builds target lists, and intend to change it to an A* system, but at this point it is a direct path cost based system, so I added a caching layer, and when all graphic’s and sounds turned off (non commented change) the combat is over in sub-second.

To do this  I hacked the game apart to dynamically turn graphics/sound/delays off, and then used the Red Gate Ant Performance Profiler to find the overworked code and it worked really well. I cheated and just used their 14-day trail version. But I did provide some feedback, and it has some really nice features like the ability to zoom to parts of the run history, and give guidance on hotspots, and you can drill down and see the code related to the CPU time. Check it out if your application is running a little slow.

As always, give the newer version a try, if you find any issues, even “old known” issues, let me know by: commenting here, email me directly, or add them to the issue list

Posted in Curse of the Azure Bonds | 4 Comments »

Reverse Engineering ‘Pools of Darkness’: Part 2

Tuesday, October 6th, 2009

This is the second post in a serries on reverse engineering Pools of Darkness.

The first is here, and I’ll add links to the later posts as we go.

Also note this post, the previous post and next posts can be skipped by using unp (unprotect)

Now loading dump.bin into IDA

This process is very messy…

Points to remember from the dumping, the memory base address was 0xba1, the first chunk of code moved the base segment to 0xbb1, after the descrambler the code jumps to 0xbb1:2

Open IDA, and start a new project, select dump.bin, at the loading screen set the loading segment to 0xba1. Press ok.

02-ida-load-settings

When asked if you want 32bit or 16bit choose 16bit.

03-ida-32bit-16bit

Edit the first segment (Edit -> Segments -> Edit Segments) and change the End address to 0xbb10 and unselect ‘Move adjacent segments’

04-ida-edit-seg000

Create a new segment (Edit -> Segments -> Create Segments) seg001, Start address 0xbb10, End Address 0×3ba10, Base 0xbb1, 16bit, OK

05-ida-create-seg001

I’m using the free version of IDA Pro and it has a create segment bug, where the segment is 32bit even though marked it 16bit. So edit like we did for seg000

Now we can jump to seg001:0002 and press C to say this is code, as this is the Pascal __SystemInit function. We can see that it makes lots of calls to address that are not correctly decoded.

06-ida-segment-inits

Long story short, these are each segment’s init function, and they run from seg001:0002 to seg001:0101

07-ida-segment-inits

These actually provide mapping of the segments of the game, so we that seg001 must end at 0xBE1 as that’s the next segment, which ends at 0xBEE, so we could hand create these segments or we could write a IDA script (.idc) to do the work for us.

Select the text area (seg001:0002 to seg001:0101), copy the contents to Visual Studio run this Replace Regex

// ^seg001\::h:h:h:h:b+call:b+(far:bptr:b)*{:h+}h\:.*$
// SegCreate(0x\10, 0x\10, 0x\1, 0, 1, 2);\nSegRename(0x\10, "seg000");\nSegClass(0x\10, "CODE");

To build the idc code to build the segment tables.

There is a bug in IDA Freeware Version 4.9 in which the first segment you create ignores the 16bit/32bit setting you chose, in our script above this can be fixed by adding

SegAddrng(0x13D60,0);

IDA gives you the ability to export your work as a IDC file so we will do this, via (File -> Produce File -> Dump database to IDC file)

08-ida-idc-export

Giving us darkness-0.idc, we can now merge our segment creating code from Visual Studio, to give us darkness-1.idc

Now we can run this script to back to our current state. As we progress it’s a good idea to ether hand edit your idc file and rerun that to check you have all of your edits, and if you do major work via the UI, export a new IDC file, very much like save games for RPGs you can never have too many saves. Heck even version control might be a good idea…

Now when we run this script on our loaded dump.bin, we get some of the initial segments setup.

The stack and the data segment are not correct, if we turn seg001:02 to code, we see those initial setup functions.

09-ida-init-calls

If we follow the first call (sub_13D60) we get to the seg053 init code.

10-ida-data-segment-address

The first instruction sets DS to 0×1598, which we will see elsewhere. If we look in the segment window, the last segment seg053 starts at 0×13D6 so a long story short, this is the start address of the data segment. A very useful piece of information

So we update our script. Adding a new segment called data at 0×1598h

SegCreate(0x15980, 0x3BA20, 0x1598, 0, 1, 2);
SegRename(0x15980, "Data");
SegClass(0x15980, "DATA");
SegAddrng(0x15980,0);

And to avoid having to press C (code) at seg001:0002 again we can add that command like this:

MakeCode	(0XBB12);

thus giving darkness-2.idc

At this point you can explore the code, and start to get an idea of how it works. You can name functions (n) or make bits of assembly into functions (p) jump around the code, but we’ll not do that just get, because as you will discover most the code is missing.

To show this go back to the seg001 init call block (seg001:48)

11-ida-init-calls

and follow the call to sub_d310

12-ida-overlay-code

The int 13h calls the overlay handler, which loads the actual code block into an different location in memory, then it rewrites this segment (seg039) so each function location (stub) jumps to the overlay code. Any calls to seg039 functions are then redirected with no extra over head. If the current loaded overlay changes (due to call into another segment) then seg039 gets rewritten back to how it was, and the new segment get mapped.

The actual code that sets up the overlay manager is one of the first segments called in the init call block, and I may point out later, but for now we have to load all missing code by hand, and rewrite the existing code to we can follow what’s happening, and that will make a exciting next post…

Posted in Games, Pools of Darkness | 2 Comments »

Reverse Engineering ‘Pools of Darkness’: Part 1

Sunday, October 4th, 2009

I thought I would reverse engineer Pools of Darkness to capture the process in a serries of blog posts.

This is the first, and I’ll add links to the later posts as we go. Part 2

Prerequisite:

Open game.exe in IDA Pro, jump to the start function (Ctrl+E). Here it is:

01-darkness-in-ida

In summary: it moves the executable to a new location in memory, then “jumps to the next function” via pushing the new memory address (seg001:0038) onto that stack and the returning to it (which is just a pop and jump).

The next blob of code seg001:0038 – seg001:00FE is a fancy pants scrambler, which by the way is exactly the same as Curse of the Azure Bonds had.

Line seg001:00FE is the interesting line:

seg001:00FE     jmp     dword ptr cs:[bx]

This is where the descrambler jumps to the actual game code.  The code in IDA is the scrambled version, so we want to get access to the descrambled memory layout.  So quit IDA Pro, and don’t keep this database.

For Curse I used the DOS debugger to get the descrambled memory, so lets do it again.

Here is the generic script to dump the memory:

g AAAA:37
p
g BBBB:fe
d 0 ffff
a BBBB:fe
mov dx,CCCC
mov ds,dx

p
p
d 0 ffff
a 1ab1:103
mov dx,DDDD
mov ds,dx

p
p
d 0 ffff
q

To get the values of AAAA, BBBB, CCCC and DDDD we start from a command prompt:

enter R to get the register dump

C:\games\DARKNESS>debug game.exe
-r
AX=0000  BX=0000  CX=F8CB  DX=0000  SP=0080  BP=0000  SI=0000  DI=0000
DS=0BA1  ES=0BA1  SS=1DC7  CS=1AED  IP=0012   NV UP EI PL NZ NA PO NC
1AED:0012 8CC0          MOV     AX,ES
-

DS is the beginning of the memory, and CCCC is DS + 0×1000 and DDDD is DS + 0×2000, AAAA is CS, and BBBB is DS + 10 + word_1F3CC, which happens to be 0×11C5, but I just step (p) six times, and read the value from AX

now we can run the debugger a couple more time to double check the base address are the same each run…. which they are.

now we can run the script as input to debug.exe to dump the 192Kb of game ram, via this command

debug game.exe < run.txt > out.txt

I found a few times I had to kill the process, as the quit (q) command at the end was not working…

But you now have a file looking like this

-g 1aed:0037
AX=0038  BX=0000  CX=0000  DX=0001  SP=007C  BP=0000  SI=FFFF  DI=FFFF
DS=1AED  ES=1D76  SS=1DC7  CS=1AED  IP=0037   NV DN EI PL NZ NA PE NC
1AED:0037 CB            RETF
-p
AX=0038  BX=0000  CX=0000  DX=0001  SP=0080  BP=0000  SI=FFFF  DI=FFFF
DS=1AED  ES=1D76  SS=1DC7  CS=1D76  IP=0038   NV DN EI PL NZ NA PE NC
1D76:0038 06            PUSH	ES
-g 1d76:fe
AX=0BA1  BX=0000  CX=0000  DX=F000  SP=4000  BP=0000  SI=2576  DI=4000
DS=0BA1  ES=0BA1  SS=2576  CS=1D76  IP=00FE   NV UP EI PL NZ NA PO NC
1D76:00FE 2E            CS:
1D76:00FF FF2F          JMP	FAR [BX]                           CS:0000=0002
-d 0 ffff
0BA1:0000  CD 20 FF 9F 00 9A F0 FE-1D F0 4F 03 95 05 8A 03   . ........O.....
0BA1:0010  95 05 17 03 95 05 84 05-03 04 01 00 02 FF FF FF   ................
0BA1:0020  FF FF FF FF FF FF FF FF-FF FF FF FF 42 0B F1 49   ............B..I
0BA1:0030  95 05 14 00 18 00 A1 0B-FF FF FF FF 00 00 00 00   ................
0BA1:0040  05 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
0BA1:0050  CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20   .!...........

Next we need to turn that into a binary file, the code I wrote for Curse required only the hex dump lines so we trim the extra lines from out.txt file first.

#include <iostream>
#include <stdio.h>

using namespace std;

unsigned char decode(char h, char l)
{
    unsigned char hv, lv;
    if ( h >= 'A' && h <= 'F' )
        hv = h - 'A' +10;
    else
        hv = h - '0';

    if ( l >= 'A' && l <= 'F' )
        lv = l - 'A' +10;
    else
        lv = l - '0';

    return (lv+(hv*16));
}

void main()
{
    const int lineSize = 1024;
    char line[lineSize];

    FILE *out = fopen( "dump.bin", "wb" );

    unsigned char byte;

    while(cin.good())
    {
        cin.getline( line, lineSize );

        int offset=11;
        for(int i=0; i<8; i++)
        {
            char h,l;
            h = line[offset+(i*3)];
            l = line[offset+(i*3)+1];

            byte = decode(h, l);

            fwrite(&byte,1,1,out);
        }

        offset=35;
        for(int i=0; i<8; i++)
        {
            char h,l;
            h = line[offset+(i*3)];
            l = line[offset+(i*3)+1];

            byte = decode(h, l);

            fwrite(&byte,1,1,out);
        }
    }
    fclose(out);
}

Now using this like so:

dumpparse.exe < out2.txt

We get file dump.bin

Which we will load into IDA Pro in Part 2

Posted in Curse of the Azure Bonds, Games, Pools of Darkness | 6 Comments »

Monopoly City Streets

Thursday, September 10th, 2009

Conor (condor) put me onto Monopoly City Streets, which is very cool idea, albeit the server is running slow as a wet rag.

All was going well until Conor bulldozed one of my building.

Check it out, I’m playing as the very imaginative ’simeonpilgrim’

Posted in Entertainment, Games | No Comments »

« Older Entries