Gold Box games Cheat Codes

On the Forgotten Realms Unlimited Adventures Forum it was asked for the ‘The Gods intervene!’ cheats for all the Gold Box based games, so I produced this list.

Pool of Radiance Forgotten Realms series:

  • Pool of Radiance cheat code is ‘start.exe STING’
  • Curse of the Azure Bonds cheat code is ‘start.exe STING Wooden’ as noted here
  • Secrets of the Silver Blade cheat code is ‘start.exe Hoop Gem’ as noted here
  • Pools of Darkness cheat code is ‘game.exe 2 2 Helm’ as noted here
  • FRUA doesn’t seem to have obvious cheat code. aka not based on PoR code

Savage Frontier Forgotten Realms series:

  • Gateway to the Savage Frontier currently needs a hacked executable (here) and then ‘game.exe Super Wooden’ press the Z button on your turn and ‘-‘ on the monsters
  • Treasure of the Savage Frontier ‘game.exe 2 2 Helm’

Dragonlance series:

  • Champions of Krynn cheat code is ‘start.exe Woof Helm’
  • Death Knights of Krynn cheat code is ‘start.exe anything Helm’
  • Dark Queen of Krynn appears the same code as FRUA so again not sure.

The two Buck Rogers game are using the PoR code base, but all the normal cheat code has been removed. And there is no obvious “Gods intervene!” in the text strings of the engine

Spelljammer: Pirates of Realmspace  is a different code base, the previous games PoR based code bases are Pascal where as this one is C/C++, I couldn’t see anything that looks like a “Gods intervene” text string ether.

Pools of Darkness cheat codes

There are a few debugging/testing cheat codes for the DOS version of Pools of Darkness.

The first: adding a 1 as the first parameter skips the title screen, and copy protection.

game.exe 1

Then there are three choices of third parameter

  • Gem – Allows view of the area map in all locations
  • HALIBUT – Allows editing/modifying of experienced players
  • Helm – Allows ‘The GODS Intervene!’ – a.k.a. kills all enemy in combat, via alt-x

Thus to play the latter you would type

game.exe 1 2 Helm

What I don’t know yet is how to control what game is loaded if you use the 1 parameter, and the game ends up in a slightly unplayable mode. From reading the code it looks like it should load saved game Z. But that’s not working out for me so far.

Reverse Engineering ‘Pools of Darkness’: Part 2

This is the second post in a serries on reverse engineering Pools of Darkness.

The first is here, and I’ll add links to the later posts as we go.

Also note this post, the previous post and next posts can be skipped by using unp (unprotect)

Now loading dump.bin into IDA

This process is very messy…

Points to remember from the dumping, the memory base address was 0xba1, the first chunk of code moved the base segment to 0xbb1, after the descrambler the code jumps to 0xbb1:2

Open IDA, and start a new project, select dump.bin, at the loading screen set the loading segment to 0xba1. Press ok.


When asked if you want 32bit or 16bit choose 16bit.


Edit the first segment (Edit -> Segments -> Edit Segments) and change the End address to 0xbb10 and unselect ‘Move adjacent segments’


Create a new segment (Edit -> Segments -> Create Segments) seg001, Start address 0xbb10, End Address 0x3ba10, Base 0xbb1, 16bit, OK


I’m using the free version of IDA Pro and it has a create segment bug, where the segment is 32bit even though marked it 16bit. So edit like we did for seg000

Now we can jump to seg001:0002 and press C to say this is code, as this is the Pascal __SystemInit function. We can see that it makes lots of calls to address that are not correctly decoded.


Long story short, these are each segment’s init function, and they run from seg001:0002 to seg001:0101


These actually provide mapping of the segments of the game, so we that seg001 must end at 0xBE1 as that’s the next segment, which ends at 0xBEE, so we could hand create these segments or we could write a IDA script (.idc) to do the work for us.

Select the text area (seg001:0002 to seg001:0101), copy the contents to Visual Studio run this Replace Regex

// ^seg001\::h:h:h:h:b+call:b+(far:bptr:b)*{:h+}h\:.*$
// SegCreate(0x\10, 0x\10, 0x\1, 0, 1, 2);\nSegRename(0x\10, "seg000");\nSegClass(0x\10, "CODE");

To build the idc code to build the segment tables.

There is a bug in IDA Freeware Version 4.9 in which the first segment you create ignores the 16bit/32bit setting you chose, in our script above this can be fixed by adding


IDA gives you the ability to export your work as a IDC file so we will do this, via (File -> Produce File -> Dump database to IDC file)


Giving us darkness-0.idc, we can now merge our segment creating code from Visual Studio, to give us darkness-1.idc

Now we can run this script to back to our current state. As we progress it’s a good idea to ether hand edit your idc file and rerun that to check you have all of your edits, and if you do major work via the UI, export a new IDC file, very much like save games for RPGs you can never have too many saves. Heck even version control might be a good idea…

Now when we run this script on our loaded dump.bin, we get some of the initial segments setup.

The stack and the data segment are not correct, if we turn seg001:02 to code, we see those initial setup functions.


If we follow the first call (sub_13D60) we get to the seg053 init code.


The first instruction sets DS to 0x1598, which we will see elsewhere. If we look in the segment window, the last segment seg053 starts at 0x13D6 so a long story short, this is the start address of the data segment. A very useful piece of information

So we update our script. Adding a new segment called data at 0x1598h

SegCreate(0x15980, 0x3BA20, 0x1598, 0, 1, 2);
SegRename(0x15980, "Data");
SegClass(0x15980, "DATA");

And to avoid having to press C (code) at seg001:0002 again we can add that command like this:

MakeCode	(0XBB12);

thus giving darkness-2.idc

At this point you can explore the code, and start to get an idea of how it works. You can name functions (n) or make bits of assembly into functions (p) jump around the code, but we’ll not do that just get, because as you will discover most the code is missing.

To show this go back to the seg001 init call block (seg001:48)


and follow the call to sub_d310


The int 13h calls the overlay handler, which loads the actual code block into an different location in memory, then it rewrites this segment (seg039) so each function location (stub) jumps to the overlay code. Any calls to seg039 functions are then redirected with no extra over head. If the current loaded overlay changes (due to call into another segment) then seg039 gets rewritten back to how it was, and the new segment get mapped.

The actual code that sets up the overlay manager is one of the first segments called in the init call block, and I may point out later, but for now we have to load all missing code by hand, and rewrite the existing code to we can follow what’s happening, and that will make a exciting next post…

Reverse Engineering ‘Pools of Darkness’: Part 1

I thought I would reverse engineer Pools of Darkness to capture the process in a serries of blog posts.

This is the first, and I’ll add links to the later posts as we go. Part 2


Open game.exe in IDA Pro, jump to the start function (Ctrl+E). Here it is:


In summary: it moves the executable to a new location in memory, then “jumps to the next function” via pushing the new memory address (seg001:0038) onto that stack and the returning to it (which is just a pop and jump).

The next blob of code seg001:0038 – seg001:00FE is a fancy pants scrambler, which by the way is exactly the same as Curse of the Azure Bonds had.

Line seg001:00FE is the interesting line:

seg001:00FE     jmp     dword ptr cs:[bx]

This is where the descrambler jumps to the actual game code.  The code in IDA is the scrambled version, so we want to get access to the descrambled memory layout.  So quit IDA Pro, and don’t keep this database.

For Curse I used the DOS debugger to get the descrambled memory, so lets do it again.

Here is the generic script to dump the memory:

g AAAA:37
g BBBB:fe
d 0 ffff
a BBBB:fe
mov dx,CCCC
mov ds,dx

d 0 ffff
a 1ab1:103
mov dx,DDDD
mov ds,dx

d 0 ffff

To get the values of AAAA, BBBB, CCCC and DDDD we start from a command prompt:

enter R to get the register dump

C:\games\DARKNESS>debug game.exe
AX=0000  BX=0000  CX=F8CB  DX=0000  SP=0080  BP=0000  SI=0000  DI=0000
1AED:0012 8CC0          MOV     AX,ES

DS is the beginning of the memory, and CCCC is DS + 0x1000 and DDDD is DS + 0x2000, AAAA is CS, and BBBB is DS + 10 + word_1F3CC, which happens to be 0x11C5, but I just step (p) six times, and read the value from AX

now we can run the debugger a couple more time to double check the base address are the same each run…. which they are.

now we can run the script as input to debug.exe to dump the 192Kb of game ram, via this command

debug game.exe < run.txt > out.txt

I found a few times I had to kill the process, as the quit (q) command at the end was not working…

But you now have a file looking like this

-g 1aed:0037
AX=0038  BX=0000  CX=0000  DX=0001  SP=007C  BP=0000  SI=FFFF  DI=FFFF
1AED:0037 CB            RETF
AX=0038  BX=0000  CX=0000  DX=0001  SP=0080  BP=0000  SI=FFFF  DI=FFFF
DS=1AED  ES=1D76  SS=1DC7  CS=1D76  IP=0038   NV DN EI PL NZ NA PE NC
1D76:0038 06            PUSH	ES
-g 1d76:fe
AX=0BA1  BX=0000  CX=0000  DX=F000  SP=4000  BP=0000  SI=2576  DI=4000
DS=0BA1  ES=0BA1  SS=2576  CS=1D76  IP=00FE   NV UP EI PL NZ NA PO NC
1D76:00FE 2E            CS:
1D76:00FF FF2F          JMP	FAR [BX]                           CS:0000=0002
-d 0 ffff
0BA1:0000  CD 20 FF 9F 00 9A F0 FE-1D F0 4F 03 95 05 8A 03   . ........O.....
0BA1:0010  95 05 17 03 95 05 84 05-03 04 01 00 02 FF FF FF   ................
0BA1:0020  FF FF FF FF FF FF FF FF-FF FF FF FF 42 0B F1 49   ............B..I
0BA1:0030  95 05 14 00 18 00 A1 0B-FF FF FF FF 00 00 00 00   ................
0BA1:0040  05 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
0BA1:0050  CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20   .!...........

Next we need to turn that into a binary file, the code I wrote for Curse required only the hex dump lines so we trim the extra lines from out.txt file first.

#include <iostream>
#include <stdio.h>

using namespace std;

unsigned char decode(char h, char l)
    unsigned char hv, lv;
    if ( h >= 'A' && h <= 'F' )
        hv = h - 'A' +10;
        hv = h - '0';

    if ( l >= 'A' && l <= 'F' )
        lv = l - 'A' +10;
        lv = l - '0';

    return (lv+(hv*16));

void main()
    const int lineSize = 1024;
    char line[lineSize];

    FILE *out = fopen( "dump.bin", "wb" );

    unsigned char byte;

        cin.getline( line, lineSize );

        int offset=11;
        for(int i=0; i<8; i++)
            char h,l;
            h = line[offset+(i*3)];
            l = line[offset+(i*3)+1];

            byte = decode(h, l);


        for(int i=0; i<8; i++)
            char h,l;
            h = line[offset+(i*3)];
            l = line[offset+(i*3)+1];

            byte = decode(h, l);


Now using this like so:

dumpparse.exe < out2.txt

We get file dump.bin

Which we will load into IDA Pro in Part 2