Hex editing the code screen

Second part of the best game ever made.
Post Reply
Andrew
Wise Scribe
Wise Scribe
Posts: 313
Joined: July 16th, 2009, 4:39 pm

Hex editing the code screen

Post by Andrew »

1) PoP2 1.0's PrinceC2.exe in PoP-TUC 1.3 asks for codes/symbols but actually accepts any code. This is the PoP2 equivalent of changing all potions on PoP1's level 15 only to opener potions. The relevant change is a JE > JMP (naturally following a CMP) at the following offset:

Code: Select all

Comparing files Prince.exe and PrinceC2.exe
00008990: 74 EB
Can someone (*cough* David *cough* :)) explain with relation to the low-level disassembly what exactly this change does? What's the check and where is it taking place? Internally does the PoP2 code screen work the same way as PoP1's, such that one code at random is assigned an open potion?

2) Is it possible to hex edit the EXE (preferably 1.1's) such that each code can take me to a different level, and have each level (or whichever levels I want) exit back to the code screen? Just wanted to experiment and try out an idea I had...
Andrew
Wise Scribe
Wise Scribe
Posts: 313
Joined: July 16th, 2009, 4:39 pm

Re: Hex editing the code screen

Post by Andrew »

Regarding 1), here's what seems to be the relevant section from the PoP2 IR disassembly:

ImageDnBWGPXNAs7tj44

1) a) What's with the RED section? :? If the disassembly is of a cracked version (which one and why?!), please mention what the original code for this section was.

1) b) Is the GREEN section correct? I know you've written a comment but I'd still like to confirm that this is the JE > JMP hex edit of 1.0 C2.

1) c) Is the PURPLE section correct and also, how does it work (how is the 0FFFE value selected and so on)?

1) d) Are all the BROWN sections correct?

2) As above.
David
The Prince of Persia
The Prince of Persia
Posts: 2846
Joined: December 11th, 2008, 9:48 pm
Location: Hungary

Re: Hex editing the code screen

Post by David »

Red: This is from IR C2.
The original code is 39 76 F6 = cmp [bp-0A],si
Green: Yes. Although it would be more precise to say that this is the IR equivalent of the changed byte from 1.0.
Purple: I don't know yet.
Brown: I think they are correct.
Andrew
Wise Scribe
Wise Scribe
Posts: 313
Joined: July 16th, 2009, 4:39 pm

Re: Hex editing the code screen

Post by Andrew »

RED: Is there any specific reason you disassembled a cracked version instead of the original EXE? (Also, are any of your other disassemblies also for cracked versions?)

Ok, so the original cmp condition is clear, but what about the nop after that? I suppose that was some sort of jump originally?

PURPLE: Would love to know more details about how it works once you've figured it out.

2) As above.
David
The Prince of Persia
The Prince of Persia
Posts: 2846
Joined: December 11th, 2008, 9:48 pm
Location: Hungary

Re: Hex editing the code screen

Post by David »

Andrew wrote: RED: Is there any specific reason you disassembled a cracked version instead of the original EXE? (Also, are any of your other disassemblies also for cracked versions?)
Because it was at hand.
I already patched my PoP2 disassembly to match the uncracked file. (I did not upload it yet.)

PoP1 1.3 and 1.4 are the original. (But I did not upload 1.3 yet, and the uploaded 1.4 is missing most names.)
PoP1 1.0 is a cracked version.
Andrew wrote: Ok, so the original cmp condition is clear, but what about the nop after that? I suppose that was some sort of jump originally?
The NOP was added because the old instruction is 3 bytes, but the new (cmp si,si) is only 2 bytes.
Andrew
Wise Scribe
Wise Scribe
Posts: 313
Joined: July 16th, 2009, 4:39 pm

Re: Hex editing the code screen

Post by Andrew »

David wrote:I already patched my PoP2 disassembly to match the uncracked file. (I did not upload it yet.)
Whenever you get the time, please upload all the uncracked PoP 1 & 2 EXE disassemblies with each archive name mentioning the version.
David wrote:The NOP was added because the old instruction is 3 bytes, but the new (cmp si,si) is only 2 bytes.
Got it, thanks!
David
The Prince of Persia
The Prince of Persia
Posts: 2846
Joined: December 11th, 2008, 9:48 pm
Location: Hungary

Re: Hex editing the code screen

Post by David »

Andrew wrote: PURPLE: Would love to know more details about how it works once you've figured it out.
This is interesting... It seems that cprot_select() returns 0xFFFE (-2) if:
The cheat mode is active, you type the cheat word (makinit) on the copy protection screen, and press enter.
In this case the game accepts any choice.
Andrew
Wise Scribe
Wise Scribe
Posts: 313
Joined: July 16th, 2009, 4:39 pm

Re: Hex editing the code screen

Post by Andrew »

David wrote:This is interesting... It seems that cprot_select() returns 0xFFFE (-2) if:
The cheat mode is active, you type the cheat word (makinit) on the copy protection screen, and press enter.
In this case the game accepts any choice.
What?! :shock: Wow, it's true, IR has an in-built way to skip the code screen as long as cheats are active! Did you figure out where exactly the code accepts "makinit" when entered on the copyprot screen?

As far as I can tell they removed this from 1.0 onwards, so it was probably just meant for testing purposes during development. I'd love to know where the copyprot code differs in the disassembly of 1.0.
David
The Prince of Persia
The Prince of Persia
Posts: 2846
Joined: December 11th, 2008, 9:48 pm
Location: Hungary

Re: Hex editing the code screen

Post by David »

Andrew wrote: Did you figure out where exactly the code accepts "makinit" when entered on the copyprot screen?
You can follow the description in the newest disassembly.

This consists of multiple parts:
1. The cheat word itself is loaded (in cheat mode only) from prince.dat, "TXT4" resource 10, at the beginning of cprot_select(). It's stored in cheat_str.
2. At label key_other: If the user presses a key that does not do anything, then the key is added to the typed_keys[] array.
3. After the user presses enter, the code compares the typed string and the cheat word, case insensitively. If they match, then cprot_select() returns -2 (instead of the index of the selected symbol).
4. This is detected by the code you marked purple.
Andrew wrote: I'd love to know where the copyprot code differs in the disassembly of 1.0.
I did not disassemble PoP2 1.0 yet, so I can't compare them now.
Andrew
Wise Scribe
Wise Scribe
Posts: 313
Joined: July 16th, 2009, 4:39 pm

Re: Hex editing the code screen

Post by Andrew »

David wrote:You can follow the description in the newest disassembly.
Thanks, and I'll bug your patient self as usual if I get stuck somewhere. :)
David wrote:I did not disassemble PoP2 1.0 yet, so I can't compare them now.
IIRC you did disassemble PoP2 1.1, right? Can't find it now though, or maybe I'm mistaken. I think we need one common topic for all the PoP2 disassemblies as well.

Since you're a mod too, why not change the title of the Disassemblies of PoP1 1.0 and 1.4 thread to just Disassemblies of PoP1, and similarly rename Disassembly of PoP2 IR to Disassemblies of PoP2? It would also help if both were stickied.
David
The Prince of Persia
The Prince of Persia
Posts: 2846
Joined: December 11th, 2008, 9:48 pm
Location: Hungary

Re: Hex editing the code screen

Post by David »

Andrew wrote: IIRC you did disassemble PoP2 1.1, right? Can't find it now though, or maybe I'm mistaken.
No, I didn't.
Andrew wrote: Since you're a mod too, why not change the title of the Disassemblies of PoP1 1.0 and 1.4 thread to just Disassemblies of PoP1, and similarly rename Disassembly of PoP2 IR to Disassemblies of PoP2? It would also help if both were stickied.
I did that now.
Andrew
Wise Scribe
Wise Scribe
Posts: 313
Joined: July 16th, 2009, 4:39 pm

Re: Hex editing the code screen

Post by Andrew »

David wrote:No, I didn't.
Ok, looks like I was mistaken after all. Will wait for the disassembly of PoP2 1.0 and 1.1 then in order to compare and contrast with IR.
David wrote:I did that now.
Excellent. :)

BTW, do you have any suggestions regarding my question #2 above?
David
The Prince of Persia
The Prince of Persia
Posts: 2846
Joined: December 11th, 2008, 9:48 pm
Location: Hungary

Re: Hex editing the code screen

Post by David »

Andrew wrote: 2) Is it possible to hex edit the EXE (preferably 1.1's) such that each code can take me to a different level, and have each level (or whichever levels I want) exit back to the code screen? Just wanted to experiment and try out an idea I had...
Here is my first attempt for that.
This is for the IR.

Code: Select all

Start with the uncracked EXE.
"--" means you do not need to change that byte.

Search: 39 76 F6 74 0A 83 FE FE
Change: 46 89 36 18 0A EB 08 90
In disassembly: seg005:1371
Effect: Index of selected symbol + 1 is stored in current_level. So you can select from levels 1..10.
And the copy protection is always passed.

Search: A0 18 0A 38 46 06 74 03
Change: -- -- -- 88 -- -- 90 90
In disassembly: seg011:00CE
Effect: The level parameter is overwritten with current_level.
This is needed so the game will load the selected level instead of whatever it wanted.

Search: 74 4E 42 74 4B
Change: -- -- -- EB 30
In disassembly: seg002:0105
Effect: Force the copy protection "cutscene" before every level, *unless* you're just restarting the current level.

Search: 89 36 E2 03
Change: 90 90 90 90
In disassembly: seg005:12A7
Effect: Don't disable the copy protection screen after you passed it.
As for the texts on that screen, they are in PRINCE.DAT.
The newest PR can export/import them correctly.
txt408005.bin = "Select the symbol that appears"
txt408006.bin = "on page %d of the manual"
Note that you must leave the terminating zero byte at the end!
Post Reply