Curse of Enchantia
Moderator: ScummVM Team
Curse of Enchantia
I've started very preliminary work on figuring out how to write an engine for Curse of Enchantia.
So far I've figured out part of the .SPR file format used to store sprites.
The file starts with a header based on shorts (LE) that show which paragraph each sprite begins on. For example, in MOUSE.SPR, there are three sprites at offsets 0x1, 0x15, and 0x28. The header is zero-padded until the first sprite, which starts at offset 0x10 (0x1 * 0x10). The next sprite starts at 0x150 (0x1 * 0x10), etc. The 0x10 that I multiply with is the length of a paragraph (16 bytes).
Each sprite starts with two shorts (LE) that describe the dimensions (the mouse.spr sprites are 0x10 * 0x10 for instance, and the ones in FONT.SPR are 0x8 * 0x8).
I still haven't figured out exactly how the following data is formatted, but a safe assumption is that it should contain masking and color information. The data following the height & width in a mouse sprite is 316 (0x13C) bytes long, and in a font sprite, it's 92 (0x5C) bytes long. The data isn't very "ordered", aside from it looking like it contains three more shorts following the height & width.
I'm wondering if there are anybody else working on this, or anyone who can give tips as to what the best tools and approaches are? I've downloaded the freeware version of IDA, but I'm still trying to make heads or tails of it. Are there any good tutorials?
Edit: Forgot to mention, from the DOS EXE it looks like it was compiled in Borland C (there are plenty of C strings (filenames, various messages) in the latter half of the file, and if I've extracted correctly, the header extension looks like this:
Offset Contents
0x001c 0x0100
0x001e 0xfb (Borland TLINK?)
0x001f 48 (version)
0x0020 0x6a72
So far I've figured out part of the .SPR file format used to store sprites.
The file starts with a header based on shorts (LE) that show which paragraph each sprite begins on. For example, in MOUSE.SPR, there are three sprites at offsets 0x1, 0x15, and 0x28. The header is zero-padded until the first sprite, which starts at offset 0x10 (0x1 * 0x10). The next sprite starts at 0x150 (0x1 * 0x10), etc. The 0x10 that I multiply with is the length of a paragraph (16 bytes).
Each sprite starts with two shorts (LE) that describe the dimensions (the mouse.spr sprites are 0x10 * 0x10 for instance, and the ones in FONT.SPR are 0x8 * 0x8).
I still haven't figured out exactly how the following data is formatted, but a safe assumption is that it should contain masking and color information. The data following the height & width in a mouse sprite is 316 (0x13C) bytes long, and in a font sprite, it's 92 (0x5C) bytes long. The data isn't very "ordered", aside from it looking like it contains three more shorts following the height & width.
I'm wondering if there are anybody else working on this, or anyone who can give tips as to what the best tools and approaches are? I've downloaded the freeware version of IDA, but I'm still trying to make heads or tails of it. Are there any good tutorials?
Edit: Forgot to mention, from the DOS EXE it looks like it was compiled in Borland C (there are plenty of C strings (filenames, various messages) in the latter half of the file, and if I've extracted correctly, the header extension looks like this:
Offset Contents
0x001c 0x0100
0x001e 0xfb (Borland TLINK?)
0x001f 48 (version)
0x0020 0x6a72
I briefly took a look into engine. For me it looks like it was written in Assembler, and credits inside also give a hint to that:
I am not aware of any efforts to RE that game, and it may happen that game called Universe may be built on top of the same engine, though modified.
Did you try to contact original authors and try to obtain original source code?
In any case Free version of IDA should be enough for such tasks. As of tutirials... Well, there is none, though feel free to join #scummvm and talk to devs. Some of them have experience in RE and may give you some hints.
Eugene
Code: Select all
8086 CODE - IAN SABINE
68000 CODE - ROBERT TOONE
Did you try to contact original authors and try to obtain original source code?
In any case Free version of IDA should be enough for such tasks. As of tutirials... Well, there is none, though feel free to join #scummvm and talk to devs. Some of them have experience in RE and may give you some hints.
Eugene
It could well be assembly... I did look for people named Ian Sabine online, but there aren't any information that might lead me to contacting him, so no such luck at this moment.
I'll keep on chugging away at the code and see if I get anywhere.
Regarding IDA, it seems there should be a debugger included, how do I go about invoking it? The menu isn't where it should be I think? Edit: I guess the freeware version doesn't come with a debugger, I'll just use another one and compare notes with myself
I'll keep on chugging away at the code and see if I get anywhere.
Regarding IDA, it seems there should be a debugger included, how do I go about invoking it? The menu isn't where it should be I think? Edit: I guess the freeware version doesn't come with a debugger, I'll just use another one and compare notes with myself
- dreammaster
- ScummVM Developer
- Posts: 557
- Joined: Fri Nov 04, 2005 2:16 am
- Location: San Jose, California, USA
It may be pretty outdated, but all my RE efforts on Lure of the Temptress so far have been with good old DEBUG.EXE. Most of my time was spent in a text editor with an initial disassembly tracing program flow and fleshing out proper routine names and variable usage. On the occasions where I needed to trace through a routine to better understand it's flow, DEBUG provided sufficient functionality for me.
About the only major problem is that since it's so primitive, once the game switched to graphics mode, all the DEBUG text was displayed in 40 columns. Takes me back to when I first learned assembly programming on my Apple //e
About the only major problem is that since it's so primitive, once the game switched to graphics mode, all the DEBUG text was displayed in 40 columns. Takes me back to when I first learned assembly programming on my Apple //e
Ah, I didn't know that. That looks very good, I am actually running IDA in VirtualPC, so the less time I have to fiddle with that memory/CPU hog, the better!clem wrote:afaik you can compile dosbox to have a Debugger enabled (which looks pretty much like SoftIce if I remember correctly)
that way you don't even need an x86 CPU to do RE
Well, I tried debugger in dosbox and found it useless, just like dosbox folks told me. Moreover, it appeared to be much bigger CPU hog than VMWare plus IDA.Del wrote:Ah, I didn't know that. That looks very good, I am actually running IDA in VirtualPC, so the less time I have to fiddle with that memory/CPU hog, the better!clem wrote:afaik you can compile dosbox to have a Debugger enabled (which looks pretty much like SoftIce if I remember correctly)
that way you don't even need an x86 CPU to do RE
Eugene
It does seem to be pretty versatile though, even if I am having troubles (mind you, I am drunk at this moment) making it stop execution (it brings up the resolution thingie in sys prefs (mac os x)).sev wrote:Well, I tried debugger in dosbox and found it useless, just like dosbox folks told me. Moreover, it appeared to be much bigger CPU hog than VMWare plus IDA.Del wrote:Ah, I didn't know that. That looks very good, I am actually running IDA in VirtualPC, so the less time I have to fiddle with that memory/CPU hog, the better!clem wrote:afaik you can compile dosbox to have a Debugger enabled (which looks pretty much like SoftIce if I remember correctly)
that way you don't even need an x86 CPU to do RE
Eugene
-
- Posts: 2
- Joined: Sat May 13, 2006 10:22 am
I've been somewhat busy lately, but I've found out a few other tidbits.
The *.PAL files are palettes, each being used for one or more *.DAT files, which are images.
All the PAL files are 768 bytes long, and end with 0x3f3f3f. The data in a number of them appears to be in 24-bit chunks.
The DAT files are varying length and start with 0x524e43 ("RNC" in ASCII). I'm currently working out how the files specifically relate to each other, by looking at CORE.*, the main logo, as it has the smallest DAT file.
The *.PAL files are palettes, each being used for one or more *.DAT files, which are images.
All the PAL files are 768 bytes long, and end with 0x3f3f3f. The data in a number of them appears to be in 24-bit chunks.
The DAT files are varying length and start with 0x524e43 ("RNC" in ASCII). I'm currently working out how the files specifically relate to each other, by looking at CORE.*, the main logo, as it has the smallest DAT file.
BASS also has some RNC algorithm afaik, I wonder if that is coincidence...Del wrote:I've been somewhat busy lately, but I've found out a few other tidbits.
The *.PAL files are palettes, each being used for one or more *.DAT files, which are images.
All the PAL files are 768 bytes long, and end with 0x3f3f3f. The data in a number of them appears to be in 24-bit chunks.
The DAT files are varying length and start with 0x524e43 ("RNC" in ASCII). I'm currently working out how the files specifically relate to each other, by looking at CORE.*, the main logo, as it has the smallest DAT file.
Yes, probably. RNC is a third-party compression algorithm/library that was used by some games around that time (mid 90es). Think of it as the zlib of that timeclem wrote:BASS also has some RNC algorithm afaik, I wonder if that is coincidence...
@Del:
You can find decompression code for RNC method 2 in the BASS sources, I can send you C++ code to decompress method 1 if you want.
Interesting! I'll take a look at the BASS code right now
I assume you mean the rnc_* files in scummvm svn yeah?
Edit: The fourth byte is indeed 0x01, so I'd say it's a pretty safe assumption that it's the same algorithm. I'll try it out. I'd like to take a look at method 1 as well, you can send it to my gmail address delonch@(etc).
I ran a quick test with PP and they unpack nicely to 64000 byte (320 * 200) files that are exactly as I expect them. Beautiful!
I assume you mean the rnc_* files in scummvm svn yeah?
Edit: The fourth byte is indeed 0x01, so I'd say it's a pretty safe assumption that it's the same algorithm. I'll try it out. I'd like to take a look at method 1 as well, you can send it to my gmail address delonch@(etc).
I ran a quick test with PP and they unpack nicely to 64000 byte (320 * 200) files that are exactly as I expect them. Beautiful!