Thursday, 27 November 2014

Rocket Raid Under The Hood 4: Generating a Disassembly

This is the fourth part in a series of posts on digging into the code of the Acornsoft side-scrolling arcade game, Rocket Raid.

 In the last post, we left off at the point where the loading program makes a CALL to the address of entry to the main code at &3400. At last, it is time to disassemble the core game code and have a look at what happens from here.

Disassembling with BeebDis


To generate a disassembly of the game code, we will make use of the BeebDis command-line tool. An interesting possibility with BeebDis is that the disassembly output is in a form that can then be run through BeebAsm to build a new object code file, allowing us to make changes to the code and building a new version.

As a first step we need to extract the file containing the machine code of the game, which we saw in the last post was the file $.RAIDOBJ, from the emulated disc image to our local PC desktop so that it can be processed by BeebDis.

Note: the BeebEm emulator also contains a built-in Debugger which is handy for disassembling short chunks of code while probing a program that has been loaded into memory.

Extracting the Object File

Files can be extracted from a disc image using the BBC Explorer utility. Simply open the disc image for Rocket Raid, select the appropriate file, then click on Extract to save the file.

BBC Explorer: Extracting the RAIDOBJ file

BeebDis Set-up

BeebDis needs a "command file" to be created in order to use it. This is a simple text file with instructions relating to the disassembly. Our command file looks like this:

load $e00 RAIDOBJ$
save disassembly.txt
symbols labels.txt
entry $3400

The first line specifies the name of the object code file extracted from the disc above, and the address at which to load it (note that BeebDis uses $ to denote hexadecimal numbers). Next is the filename for saving the disassembled output. The "symbols" line points to a list of memory locations which BeebDis will automatically replace with labels when found in the code. The file "labels.txt" file comes with BeebDis and contains definitions for common OS routines and vectors, which will make the disassembled code easier to read.

This command file can be easily adjusted and the disassembly regenerated at any time.

Setting the Disassembly Start Location

The final command in the command file tells BeebDis to start disassembly from location &3400. This can be set to any start-point of interest; in this case it represents the address of the entry point to the game that is CALLed by the loader.

Setting the start to &E00 straight away results in broken disassembly output, since the disassembler can easily get confused by areas of data interspersed in the code. As we identify which areas respresent data, we will be able to mark these by adding instructions in the BeebDis command file.

Generating the Disassembly

Now we are ready to run BeebDis from a command-line prompt, giving the name of the control file as the parameter, to generate the disassembly file:
BeebDis control.txt
Various messages will scroll up the screen as BeebDis works, but the end result is the generation of a file named disassembly.txt that contains the disassembly.

Examining the Output

Let's take a look at the result by opening up the file in a text editor. The first thing that we see, in the top section of the file, is a list of label definitions.


Labels of the form the form "L" followed by 4 hexidecimal digits are ones that been created automatically by BeebDis to replace references in the code to fixed memory locations. Labels for various operating system routines that have been identified can also be seen; these are taken from the "labels.txt" file specified in the BeebDis command file.

After the label definitions is an "org" directive indicating the start of the disassembly proper, a label that BeebDis has inserted to mark the start address, and then a long list of EQUB instructions which represent byte data.
        org     $0E00
.BeebDisStartAddr
        EQUB    $BA,$86,$0E,$20,$62,$11,$20,$8B
These raw bytes have not been disassembled since we told BeebDis to start disassembly at location &3400. If we scroll down to near the end of the file, the start of the disassembly can be seen:
.L3400
        LDY     #$00
.L3402
        LDA     L3000,Y
        STA     L0400,Y 
At last, we are able to start analyzing the code to see how the game has been put together!

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)