Dyna Blaster ※ reverse engineering on DOS ※ Cracking VG Passwords S2e3

Back in mid-1990s when I was still
a novice at using computers, I didn’t play many
games on the PC, because I spent nearly all
my time programming instead. One of those that I did play,
was Dyna Blaster. Which is totally not Bomberman. I mean, you clearly don’t have
randomly generated rooms – with enemies that vary from
balloons with faces on them – to various kinds of blobs
with faces on them, and you clearly do not place bombs
that can be fired in chains, and… Okay seriously,
this is Bomberman. But in the Europe,
this game, released for MS-DOS,
Amiga and Atari ST, was rebranded
as Dyna Blaster. And this game contains
a password system. It looks like this. You can input eight letters, selected from the English
26-letter alphabet. If your input is wrong, the input is cleared
and you have to try again. The input method is also quite slow
since you can’t just type, but you have to navigate a cursor
as if this was an arcade game. Let’s study what goes
into the password. The game has 64 levels, divided into 8 areas
each of which has 8 rooms. You can collect a number
of classic powerups, such as more powerful bombs, more bombs,
running ability, remote detonator,
pass-through bombs and so on. If you lose a live, you get to keep the
bomb power level, the number of bombs,
and the running ability, and start from the same level, but everything else
is reset to zero. And these aspects are saved
in the password, too. Back in the 1990s, I was not able to crack
this password system – because it was just too slow
to try different combinations, and I ran out of patience. I tried disassembling
the game too. However, I quickly learned
that something is going on: There does not seem to be
any plausible code anywhere. For the most part, none of
this disassembly makes sense. I mean, obviously the disassembler
is going to output something, because almost all bytes map
into some CPU instructions, but this can not be
the real program code. So I ran UNP on the binary. UNP is an excellent tool
written by Ben Castricum, which is capable of decompressing
most DOS EXE files – compressed using compressors
written before 1995. And so is the case here. It detects that the game
is compressed using LZEXE, and successfully decompresses it. And now if I disassemble
the binary, I can actually find code
that makes sense. If you work with
assembler code, you will quickly learn to
recognize code that makes sense – and tell it apart from
disassembly of random data. Now because EXE files
are relocatable code, the next step would be
to use a disassembler – that can actually reconstruct
the code segments – and separate them from data. For this purpose,
I did some searching, and ended up downloading
a program called Semblance. Back in the DOS days
I used something else, but I no longer have that tool, and the open-source and cross-platform
program called Semblance – will do just fine for this purpose. When I run it on the decompressed
Dynablaster EXE file, it produces an assembler listing,
which I can open in a text editor. However, finding the password code
in it is not that simple. It’s not like I can just
search for “password” in it. I mean, I can figure out something. For example, this code seems to be
updating the VGA palette. It outputs bytes into I/O ports,
and port number 3C9 – happens to be the VGA graphics
card’s DAC data register. This stuff was the bread and butter
of graphics programming in the 1990s, so I can easily recognize it on sight. But to find code that deals
with password is not that easy. Back in 1990s, this is
where I got stuck. But now, almost
25 years later, the story does not
have to end here. I have different tools
in my toolbox now. I was already running
this game in DOSBox, which is an emulator
for the PC, but I need a version of DOSBox
that has the debugger built in. I am using Debian GNU/Linux, and the debug-enabled DOSBox can be
installed with a single command. And now when I run it, there is a debugger window
behind the emulator window. I will hit Ctrl-F1 to study the
keyboard mapper of DOSBox. I select the debugger option, and I notice the key mapping
for debugger is mod2, which is alt, plus pause. Alright, moving on. Click exit to exit the key-mapper
and resume the emulator. Now the game is running. Let’s enter the password screen,
and enter a simple password, BBBBBBBB. I am going to wait
until the music stops, so that the music will not interfere
with what I am going to do. Now I am going to hit alt+pause
to enter the debugger. Watch the data segment value, DS. I will do this several times. F5 to resume the game. Alt+pause, F5, alt+pause, F5,
alt+pause, F5, alt+pause, F5. The value of DS
seems to stay the same. If the music player was still active, the DS value would vary
between different breakpoints, but now, the password engine is the
only part of the game running, so the data segment
stays the same: B07. This is the primary data segment – that the game focuses on
while on the password screen. On the screen it says “type help”
to get an overview of all commands. Here it says use home/end buttons to scroll. What I want to do is write the
data segment contents into a file. I will call this file A.TXT. Then let’s resume the game
and make some changes. Replace the password
with ABCDEFGH, and enter the
debugger again. Do a second memory dump. And compare these two dumps. Sure there are still plenty of irrelevant
differences between these two, but look here! The first one has eight
62s in the row, while the second has
eight successive values: 61-62-63-64-65-66-67-68. Just like the password
that I inputted. This is where the game stores
the password you are inputting! It begins at address 32B5. There were also other differences. Offscreen, using this
same exact process, I identified the addresses – for the selector cursor
X and Y positions – and for the password
character position. Now let’s get back to
the assembler listing. Search for the address,
32B5. Alright. This first piece seems to copy
eight bytes into the password – from some unidentified RAM address. Let’s ignore that for now. This next part takes the
password buffer address, adds the password cursor position, and places a byte into
the resulting address. In other words, it changes a character
in the password. This seems to be part of
the password user interface. Let’s go up a bit. Okay here it seems to be comparing
the selector cursor position. If the Y coordinate is
different from 2, it reaches this spot… And if the Y coordinate was 2, then it checks if the
X coordinate is 8, 7, or 6. These must be the ←, →, and
“END” symbols respectively. If the X coordinate was
none of these, it continues with the
character input. Okay so let’s jump to where it gets
if the X coordinate was 8. That is 28C8. And that jumps to 29E7. This must be the part that
validates the password! Okay. First it checks if
the password is blank, that is it consists
of eight spaces. If it was blank, it does this. Otherwise it continues from here… Now it copies the 8-character buffer
into a different address, 30E5. Then it calls another function. If the return value of
that function is nonzero, it wipes out the password by
writing eight blanks into it. So I guess that’s the failure,
and the other branch is for the success. Let’s check out the function that
it uses for the validation, which is at 0E26. It sets the source index as 30E5,
which is the copy of the password, and destination index as 2117. It’s building something in 2117. Then it loads a character
from the password copy, and calls some function. Again, the return value is checked. This time, if the
return value is negative, it bails out and
continues otherwise. Let’s see what that
function does, at 0F72. Alright. So it takes the two lowest bits of BX
and multiplies that by 16. Then it initializes the counter
register with value 16, and performs some kind of loop. In that loop, it adds 20CF to
the value of BX, loads a character,
and compares that – to the character that
was supplied as a parameter. Hmm. I wonder what’s
in that address, 20CF. Let’s check the commands
in dosbox again. I want to adjust the memory
view window over here, and the command to do that is – “D” followed by the
segment, colon, offset. The segment is the data segment
as before, B07. The offset in question was 20CF. Hmm, that is weird. It seems to contain four
sixteen-character strings. Okay, so it searches
the character – in one of these
sixteen-character tables, and returns the index
where it was found. If the character was not found,
it returns −1. This function is called twice. With the first character,
and the second character. The two return values are merged
into a single byte at address 2117. This process is repeated four times, until all eight characters
have been converted – and packed into four bytes. So far so good. It seems it is our good friend
the substitution cipher, except that the cipher
is different for each byte. [Ominous jingle] This data is then packed
into four bytes. These four bytes could be thought
as a 32-bit integer, or as a doubleword. Then it loads the first byte, and takes the top three bits
from that byte. If the top bit is nonzero, it inverts byte 3 of the password. Then the next bit is checked
and the byte index is decremented. This process is repeated three times,
for each of the top three bytes. Then it loads the first byte again, and checks that the middle two bits
are one and zero respectively. If they are not,
the password is rejected. Finally the lowest three bits are taken. This value is passed to
some function at 0F49. That function loops
and rotates bits… If you are an experienced
assembler programmer, by now you are already screaming
that this is horrible code. It is as if it was
produced by a compiler – that does absolutely no
optimizations whatsoever. Which is probably not far off, considering that the whole game,
Bomberman, was originally just a demo for
Hudson Soft’s BASIC compiler. I mean look at this. On the left side is the
code from Dynablaster. On the right side is my hand-written
copy of that same function. Both of these routines
do the same thing. And the whole game is like this. Anyway, when we carry out the
code analysis to its end, this is what we get. First, this is the
encryption code we just saw. The three lowest bits of first byte
specify a shift count, and the other three bytes are rotated
right by that number of bits. Zeros are shifted in
from the left side, and bits from the right side
are discarded. Then, data is extracted from
the resulting doubleword. I know, this graph
looks like a mess, so let’s break it down. Six data items are extracted
from the password: The two-digit level number,
the number of bombs, the explosion length, a flag that indicates
the running powerup, and a hamming weight of
everything else combined. Hamming weight is also
called a population count, or the number of one-bits. The data item bits are not stored
sequentially in the password, but they are all over the place. The hamming weight, or number of bits,
is particularly interesting. When the password is encoded, the game puts to this field
the number of bits – that were set in all
the other five operands. But when decoding,
the issue is different. Remember the rotation? When the password is encoded,
the bits are shifted left, and when the password is decoded,
the bits are shifted right. Because they are shifted,
not rotated, the upper bits of the password
will become permanently lost, and replaced with zeros. And look what’s in
the upper bits. There is all kinds of
vital information there. During playtesting, sub programmer Yuuji Muroya
likely noticed – that the generated passwords are
not actually decoding properly. [ Genuine heavy rain sounds in the background ] Data is getting lost. Rather than fixing the design
problem in the password, he settled on a workaround: Instead of generating rotation
counts between 0 and 7, he only generates them
between 0 and 1. This way, the only bit that
gets potentially lost – is this one bit in the
hamming weight variable. But now he ran into
a second problem: The hamming weight,
read from the password, does not actually match the number
of bits set in the password. He solved this problem by not
verifying the exact bit count, but that the saved bitcount
is less than sixteen. In other words, he only checks – that the most significant bit
of the hamming weight is zero. The rest of the bits
are essentially unused. I mean, there were actual
unused bits in the password. They are the upper
two bits of byte 1. The game always generates
these two bits as zero. Maybe he originally intended – these bits as a safe buffer
against the bitshifting, but he made a mistake. And because of his mistake, there are now many more meaningless
bits in the password. Now the data items in this
password are fairly simple. The level numbers are in 1—8 range. The password fails to match
if something else is given. All the other values can
use the full range. However, the maximum number
of bombs is actually eight. Any value that is outside
1—8 range just means eight. Related to the bomb count,
I actually found a bug in the game. Likely this is already
very well known, but I thought it’s
worth mentioning anyway. Once you acquire
the remote detonator, and you fire the detonator while an
explosion is already occurring, you can place as many additional
bombs as you want – even if you have just one bomb, and the bomb limit will be permanently
maximized until the end of the room. The maximum being eight, that is. Now here is the password converter
I wrote for this game. It handles all the
special cases correctly – and reports whether the
password is authentic or not. You can download it through the
link in the video description – if you like to study it. I also created a list of English-language
passwords in this game. Surprisingly there
are not that many. All of them are fake, in that the game will
never generate them, but it will accept them. Well, all except the last eight, which are somewhat questionable
compound words, that I included – to get at least some non-fake
passwords on the list. [ Ominous jingle ] In any case, these passwords work
not only in the DOS version, but also on the other
ports of the game, such as on the Amiga. And look at that,
we happen to have one here, thanks to my colleague
Toni Rosendahl. — … — Toni, if you would be so kind. — Okay, of course. So let’s take a look
at the game on Amiga. [ Loud joystick click sound ] [ Chair creaking ] — So it’s loading
from a USB stick, but it’s simulating a floppy disk
or something? — Yeah, it’s like a floppy disk; it emulates it, and the speed
is pretty much the same. [ Amiga game music ] … which should be … – Yeah, “MOONLESS” please. – Okay, let’s try. [ Joystick clicks ] – Entering the alphabets using the joystick
is a little bit difficult, but… “MOONLESS”, end.
Let’s see what happens. — Okay, it seems to have
accepted the password. Loading… — Let’s see what happens. — I don’t believe anyone has ever
entered this password before. — Stage 3—3. Good! — And it works, as you can see. I am Bisqwit. The next time — I haven’t actually decided yet – which game is going to be
the topic of the next episode! Maybe you have good ideas? In any case, have a nice day,
and see you next time! Bye! — Bye!

100 thoughts on “Dyna Blaster ※ reverse engineering on DOS ※ Cracking VG Passwords S2e3

  1. It is all fun and games up to 12:17. How do you know the information described in the 'Data Content' portion of the video? That seems like some incredibly hard things to find out just by looking at the code.

  2. You may want to check out r2 (radare), if you plan on doing disassembling in future. It probably will save you some time. I mostly use r2, gdb and some tools of my own https://github.com/Cloudef/memutils

  3. Bisqwit see, you can tell which programming language you started and the easiest to learn when you started learning programming at an early age.

  4. Freaking loved this game on Amiga! Just seeing the menu screen brings me to almost hear the clicking of the microswitches in the ZipStik 😀

  5. Hey Bisqwit. Please check out the code of http://asciicker.com/x13/. It's a game just made out of CP437 colored characters and the game code can be found in java script files. It seems to be a really interesting engine. You can even check out all the different versions of the game by changing the 13 to something between 1-13. I would love to see if this is also possible in DOS.

  6. Hey im going to watch your channel!! I was looking at the disassembled code and it looks like 8086 code is that correct?. I did not see any extended registers like eax etc and the ret(s) are all near ones so this looks like a COM file maybe????
    Right on!!! im starting to do programming stuff on my channel as well.

  7. I love this type of education!!!. It is free and voluntary- what I mean is that the general public come here on a voluntary basis. There are no bullies, no truant officers and no school shootings. We could all use a little voluntary education.

  8. ok there is an 8 byte movsb from si to di for what purpose im unclear as i dont have my headphones with me – OH I LOVE THIS i can read assembler as if it were English!! where are my head phones? The password was 8 bytes hmmmmm !!!!!!

  9. I remember the old days I used Win32dasm.exe. The program allows you to track the win32 program code and check the offset of instructions in the file.
    Then one byte in the exe file would change (usually asm jump instruction) and you got a cracked app. For example, date checking in 30-days trial applications has been removed.

  10. I'd love to be a fan, but i just can't listen to his ridiculios accent. I think he learned english from a book? without ever hearing it?

  11. Im writing a movie editor. I can see a lot of work ahead. I want to simply join video clips together using AVI format. Is this easy or hard to do ? I have already got an AVI header viewer in the works. It is hard to find documentation. Thanks!!!

  12. Hello! How do you come to enter tne length of the memory dump as 10000? Is it just to see as a generic value that most probably is more than enough for a small DOS program's data segment?

  13. Good Evening Sir, Can you Design C Programming Videos over Linux Device Driver Programming and Assembly Language step by step and Linux Operating System Programming ( Build your own OS ) and Finally Linux Kernel Programming

  14. You are THE Wizard. Thank you for showing us the method with BBB and ABC etc. appearing in the memory state as consecutive numbers. Very smart. I have no words. I'm just dust under your feet. Keep the great work going. Thank you.

  15. How about making another series: Bisqwit talking about how he'd create a password system for his game. What would be the ultimate 8 bit password system.

  16. He programs complex code and runs a chat room at the same time while reverse engineering password systems better than the original software author could – during coffee break.

  17. I’d love to see a password decompilation for Snake’s Revenge on NES. It basically looks like a memory dump when giving the password out, always thought that was somewhat interesting, would love to know if thats actually the case!

  18. dude, that was relaxing AF, even for a student of civil engeneering like me who changed from college because my original college has more programing courses and I hate programing (I was very good at thot those courses but I really hate programing lol)
    pls shave

  19. You should mess around with radare2/cutter! I've been reversing some microcontroller stuff. You can even step through functions and visualize call graphs.

  20. Excellent video.

    Thanks for a hint about dosbox-debug (I use qemu/gdb combo but as gdb is not realmode aware it's a bit painful even with custom commands to deal with segments).

  21. Every once in a while it looks like you have Mario running across the top of your desktop or active window. What is that, some kind of screen toy?

  22. Great work Bisqwit, you are the One, with your skills as programmer you can change the world. . .,
    i would like you to see programming ARM microcontrollers such as STM32 or any . . .

  23. I remember having to binary hack my save file for the DOS port of Mega Man X because there was a bug that prevented you from getting Zero's power after you fight King. It was pretty straightforward.

  24. Ahhh…. Dynablaster. One of my favorite games for dos. It is a picky bastard and really need correct hardware if you want to hear the music correctly. And it need a seriously specific range og CPU speed and no more than a certain size of memory. 486sx25 with 4mb Ram, ISA-VGA card, SB-PRO and a genuine OPL3 chip, seems to be the sweetspot for this game.

  25. Once I analysed the construction of Lemmings level codes. Unfortunately no one cared because you could get level code lists from any Amiga magazine at that time.

  26. New cheat about bomberman in Nes is by switching the letter number 16 and 17
    You will get an amazing levels can be 60 , 8A … as example.
    But dont explose the dore because that will crash the game 🙂
    Ps: check the code 16 and 17. May be it is 15 and 16 or 17 and 18 because I may forget the exact switching

  27. Shalom

    I pray that this finds you in the best of spirits.

    I wanted to inquire about your bible channel? I read your website your love for christ and I was amazed by the amount of time and effort you put into making it. After this I was always anticipating you making videsos about the bible where you go into depth teaching and expounding, because you have a gift of teaching. In the time we live on now, Christ's return is sooner than many people think. And the preaching of christs life death and ressurection should be our the higest priority. Romans 1:16. We live in a time where Christ and his true message is pushed to the side and forgotten, and more often then not twisted and perverted for worldy gain.people need to know that he is the answers to all problems
    . 1 Corinthians 1:18, John 14:6.

    You have a large influence and an amazing tallent for producing videosgiven by our Gracious God. I can see how mich of an impact you will land on your audience to being people to christ. There are many people looking for answers, but the labors are few. We need more good teachers like you to teach the Word of God in truth.
    John 4:24
    1 john 5:17

    Let the lord use you, brother

  28. This is a random off topic question with no priority. On 8/16 bit processors there are reachable limits to how many instructions could be passed before the next vertical blank arrives, otherwise drawing slows down. I wondered on modern machines doing many more cycles, could a hypothetical averaged nes game instruction set, multiplied by the whole nes catalog, be executed in the time it takes for a screen refresh ?. these are things i think about while working on an old 32k mirco computer for fun.

  29. This brings back memories. I remember attempting to crack the password system in JRR Tolkien's The Lord of the Rings (SNES). I was partially successful, in that I figured out how to make my characters level 50+ at the beginning of the game which basically lets you just steamroll through the game and makes you invincible. Protip: Being Lv50+ is enough to kill the Ring Wraiths at the very beginning of the game with ease, but Bree's door will still be locked so sadly, no you can't pass up Barrow Downs.

  30. Get your hands off Dyna Blaster! This is my top childhood game! I used to have codes for all levels :). Though It a couple of years for me to find out that if you type the name of developper of this game as one name – hudsonsoft – it will make you invincible 🙂

  31. hey you know this guy has like 45 years old? but he only represents like 25 years old. Hey Bisqwit, tell us the secret of eternal youth. What do you eat?

  32. Sir i watched you write some values such as 1.2,0.3 etc for colours in vga programming it looks quiet difficult and artistic but how it works? Can you explain sir?

  33. Hey @Bisqwit, nice job! That was amazing, but I think you should speak a little bit slower because it's hard to follow you, specially for non native english speakers like me. If you're concerned about the video length, maybe you could split the video into more parts and make a playlist. Anyway, congratulations again!!

    Now I challenge you to make a simple platform game in pure SNES assembly and run it on an emulator. I tried this once, but could only draw a green background on the screen. Shame on me. 🙁

  34. I would absolutely love to see a breakdown of the Password system for The Sword of Hope, for Gameboy (1989). 16 Characters long, with letters and numbers from the Greek Alphabet!

  35. Do this to Silpheed next. It's got this "flight school" thing at the beginning where it asks you to correctly name an enemy it shows on the screen (easily identified and named if you have a copy of the game's manual). I'm not sure if it does anything. I never noticed it do anything. But there does seem to be a frame that flashes by after you hit Enter with some text on it, and I was never able to capture and read it. Is there a way you can figure out what this question actually does in the gameplay?

  36. Nice job! 😉 What I did often back then: at the moment you found the password check code and the different branching on success / failure, you could just change the code (hex editor). E.g. you could hard coded jump to the success branch, overwriting the check. Only need to take care to align memory correctly when editing, so that the replacing statements take up as much size as the original ones. Then you have a cracked version where you just need to press enter on the password screen.

    Your approach is much more sophisticated.

    BTW: having an Amiga but no C O M P E T I T I O N P R O => big fail 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2019 Explore Mellieha. All rights reserved.