Disassemblies of PoP2

[FluffyQuack]

Hm, it seems that each newer version of IDA Free supports fewer executable formats and CPUs.
(Guess why?)

I used IDA Free 4.3 to make this disassembly.
I think 5.0 still supports DOS executables.

BTW, you should open the *.idb file instead of PRINCE.EXE, though that might display the same error message.

Yeah, you're right, it looks like newer versions of IDA Free v7.0 don't support DOS executables any more. That's rather silly, especially since a commercial copy of IDA is crazy expensive.

Luckily, ScummVM's website got permission to host v5.0 of IDA Free. That's downloadable from here: https://www.scummvm.org/news/20180331/

[David]

Luckily, ScummVM's website got permission to host v5.0 of IDA Free. That's downloadable from here: https://www.scummvm.org/news/20180331/

Ah, you found a copy.

Meanwhile I found some archives of old IDA versions as well:

I used IDA Free 4.3 to make this disassembly.

You can find an archived copy here:
https://web.archive.org/web/20051230200 ... eida43.exe

I think 5.0 still supports DOS executables.

That one is archived here:
https://web.archive.org/web/20111009003 ... ware.shtml

Hm, it seems that each newer version of IDA Free supports fewer executable formats and CPUs.

Maybe this is a warning that in the long term I should switch to a different disassembler...

[FluffyQuack]

I've been using your IDA disassembly to figure out how some stuff works in POP2 and it's pretty good reference, but I haven't been able to find the animation script/sequence data. It was hardcoded into POP1. Is it among the data files in POP2? Is it in sequence.dat? I see that file has 233 entries of data. I guess each entry corresponds to one animation?

Edit: Okay, sequence.dat definitely contains the animation sequence data. I'm writing a function that can parse it and output it to a text format, and this is my result so far: https://pastebin.com/raw/uqsNeHvh

One thing which surprises me is that they kept the frame data (the data with frame render offsets and weight information) hardcoded. It makes sense for the sequence data to be an external asset so they could edit it without having to recompile the game, but that data is tightly connected to the frame data so I'm surprised they didn't externalize that too.

[FluffyQuack]

Extracted the frame data array and updated the sequence data conversion.

POP2 IR:
Frame data array: https://pastebin.com/raw/njY5KdbN
Sequence data: https://pastebin.com/raw/xbq6bSr0

POP2 1.0/1.1:
Frame data array: https://pastebin.com/raw/3Kc5KCpg
Sequence data: https://pastebin.com/raw/dD7JdMUg

[FluffyQuack]

I want to find a way to reverse engineer POP2 that I can personally work on. I'm honestly not great at reverse engineering assembly code, and I would prefer a method where I can work piece-by-piece where the game is runnable. If I understand it correctly, most traditional methods involve disassembling the entire thing and you won't have anything to run until you've reverse engineered all of it. At least, I think that's what the most typical approach is. Either way, I tried to do some research on alternate approaches using tools that people have made to help with the process.

CicoParser:
- Takes disassembly output from IDA, converts it into fake-assembler C or Javascript code, and runs it in an SDL wrapper.
- I'm not sure if it supports VGA applications.
- Source code and more information: https://github.com/gabonator/Education/ ... CicoParser

CicoJIT:
- CicoParser is discontinued and the creator started working on this instead.
- CicoJIT uses an integrated disassembler. I think it means it takes the EXE and creates a disassembly from it rather than relying on something like IDA.
- No documentation (yet?), though the source code is here: https://github.com/gabonator/Projects/t ... er/CicoJit

Spice86:
- PC emulator that lets you replace arbitrary functions with code written in C# and let the rest remain the same, so you work piece by piece while having a fully functional game.
- Source code and more info: https://github.com/OpenRakis/Spice86/

Bright Eyes:
- Similar to Spice86 but it uses DOSBOX as emulator.
- Source code: https://github.com/Henne/Bright-Eyes

masm2c:
- I think this works in a similar way to CicoParser where it takes a disassembled EXE from IDA and converts that code to C that runs it using SDL library. A DosBox library is also related somehow.
- Source code and more info: https://github.com/xor2003/masm2c

SR:
- I think this work similar to CicoJIT. It statically recompiles a DOS exe.
- Source code and more info: https://github.com/M-HT/SR

Those are the tools I've found that can possibly be helpful. I'm wondering if any of those methods could be used for POP2. This is something I wouldn't mind working on if I can get a good workflow set up.

[FluffyQuack]

Extracted the frame data array and updated the sequence data conversion.

POP2 IR:
Frame data array: https://pastebin.com/raw/njY5KdbN
Sequence data: https://pastebin.com/raw/xbq6bSr0

POP2 1.0/1.1:
Frame data array: https://pastebin.com/raw/3Kc5KCpg
Sequence data: https://pastebin.com/raw/dD7JdMUg

On a related note to this, while the above kid frame data is hardcoded into the executable, the other frame data arrays are in data files:

PRINCE.DAT -> FRAM 1000 = Sword frame data
PRINCE.DAT -> FRAM 1200 = Short sword frame data
BIRD.DAT -> FRAM 750 = Bird guard frame data
FLAME.DAT -> FRAM 750 = Flame sword enemy frame data
GUARD.DAT -> FRAM 750 = Guard (lvl1 and last level) frame data
HEAD.DAT -> FRAM 750 = Head enemy frame data
SKELETON.DAT -> FRAM 750 = Skeleton frame data

Here are the enemy and sword frame data in text form (converted from v1.1 data files): https://pastebin.com/raw/x15gPgJ9

[FluffyQuack]

On a related note to this, while the above kid frame data is hardcoded into the executable, the other frame data arrays are in data files:

PRINCE.DAT -> FRAM 1000 = Sword frame data
PRINCE.DAT -> FRAM 1200 = Short sword frame data
BIRD.DAT -> FRAM 750 = Bird guard frame data
FLAME.DAT -> FRAM 750 = Flame sword enemy frame data
GUARD.DAT -> FRAM 750 = Guard (lvl1 and last level) frame data
HEAD.DAT -> FRAM 750 = Head enemy frame data
SKELETON.DAT -> FRAM 750 = Skeleton frame data

Here are the enemy and sword frame data in text form (converted from v1.1 data files): https://pastebin.com/raw/x15gPgJ9

I forgot to include the one for the jinnee (JINNEE.DAT -> FRAM 750): https://pastebin.com/raw/vishQcf3

[FluffyQuack]

I discovered something pretty big. I looked at the executable for the FM Towns version of POP2 and it actually has debug symbols present in the executable with a list of function names and names for global variables!

It's compiled with a Borland C++ compiler from 1991. I searched around for something that can extract this debug data and I stumbled on this: https://github.com/ramikg/tdinfo-parser

[David]

I discovered something pretty big. I looked at the executable for the FM Towns version of POP2 and it actually has debug symbols present in the executable with a list of function names and names for global variables!

It's compiled with a Borland C++ compiler from 1991. I searched around for something that can extract this debug data and I stumbled on this: https://github.com/ramikg/tdinfo-parser

In 2015 I noticed this, and opened the EXE in IDA 4.3.
I still have the IDB file, see the attachment.
IDA 4.3 could handle the debug symbols on its own, without any add-ons.

IDA_pop2_fmtowns.zip

(1.27 MiB) Downloaded 6 times

There are other versions of PoP which contain debug info, or at least function names:

• PoP1 beta for MacOS
• PoP2 for MacOS
• PoP1 for Sharp X68000

[FluffyQuack]

In 2015 I noticed this, and opened the EXE in IDA 4.3.
I still have the IDB file, see the attachment.
IDA 4.3 could handle the debug symbols on its own, without any add-ons.


IDA_pop2_fmtowns.zip


There are other versions of PoP which contain debug info, or at least function names:

• PoP1 beta for MacOS
• PoP2 for MacOS
• PoP1 for Sharp X68000

Oh! And here I thought I was the first one to discover this. Google showed zero hits when I tried search up information on this. But not only that, there's a second POP2 executable with debug symbols?

Having these function names helps endlessly when determining what some of these functions do.