Summary
Our approach is looking to reveal the findings only based on the DOS executable that can be downloaded from https://www.dosgamesarchive.com/file/mario-and-luigi/marioandluigi/. The source code of the game is also available at https://www.dosgamesarchive.com/file/mario-and-luigi/mariosrc/. The game was written in Pascal, and we’ll explain the DOS interrupts and the relevant instructions/functions that could be identified.
Technical analysis
The executable can’t run on a Windows 10 machine, and it needs to be emulated using an emulator such as DOSBox:
Figure 1
We were surprised to find out that the game was packed using a well-known packer called UPX:
Figure 2
We’ve decompressed the file using old versions of UPX as well as newer versions. Unfortunately, after unpacking the executable, the new file couldn’t be emulated using DOSBox because it raises the “Runtime error 201” range check error in Pascal:
Figure 3
DOSBox has a basic debugger that can be used to debug the initial packed executable; however, the functionality isn’t comparable with x32dbg/Ollydbg (it’s more like gdb in Linux). Because of this limitation, we’ve decided to perform a detailed static analysis on the decompressed executable using IDA Pro.
As we can see below, the assignment operator is used to store the number of players in an array:
Figure 4
The menu items appearing on the screen at the beginning of the game are also stored in an array using the same operator:
Figure 5
There is always the option to enable or disable the sound in the game, as highlighted below:
Figure 6
The status line option can be set to OFF or ON in the settings dialog:
Figure 7
Players have the option to save the game progress, as displayed in the figure below:
Figure 8
The final score will be concatenated with the “TOTAL SCORE:” string using the Concat function and then displayed at the end of the game:
Figure 9
Players can pause the game at any point by pressing the P key:
Figure 10
The MemAvail function is utilized to retrieve the size, in bytes, of the free heap memory. The result is stored in the DX:AX registers (keep in mind that the architecture should be 16-bit, so AX and DX are 16-bit registers). Whether DX < 0, then the program displays “Not enough memory” to the output:
Figure 11
The current level number is concatenated with the “LEVEL ” string and then displayed on the screen:
Figure 12
“GAME OVER” is displayed at the end of a lost game, and no lives are left:
Figure 13
Using the int 10h (int 16) interrupt routine with AH = 0x1A and AL = 0x00, the program reads the display combination code. Whether the result stored in AL is 0x1A, VGA is supported; otherwise, it displays an error message using the Write function:
Figure 14
Figure 15
Mario & Luigi can be played with a joystick by running the DOS executable with the “-j” parameter, as highlighted below:
Figure 16
Figure 17
The int 10h interrupt routine with AH = 0xF is utilized to retrieve the current video mode:
Figure 18
The video mode is set to Mode 13h, which is the standard 256-color mode on VGA graphics hardware (a resolution of 320×200 pixels):
Figure 19
The game uses the int 10h interrupt routine with AH = 0x2 in order to set the cursor position on the screen:
Figure 20
The same function from above is used multiple times with different register values. The program scrolls up the window by setting the AH register to 0x6 and BH, CX, and DX at runtime:
Figure 21
The program reads a character and attribute at the cursor position by setting the AH register to 0x8:
Figure 22
The 8×8 character font is loaded using the int 10h interrupt routine with AH = 0x11 and AL = 0x12. The executable obtains font information by setting the AL register to 0x30:
Figure 23
The cursor size is modified using the same interrupt routine with AH = 0x01:
Figure 24
The program selects an alternative EGA Print Screen routine using the same interrupt routine with AH = 0x12 and BL = 0x20:
Figure 25
It displays characters at the cursor position using the same interrupt routine with AH = 0x09:
Figure 26
The executable writes a character at the cursor position and advances the cursor using the int 10h interrupt routine with AH=0x0E:
Figure 27
The cursor position and shape can be obtained by setting the AH register to 0x03:
Figure 28
The DOS executable checks to see if there is any character available in the keyboard buffer using the int 16h interrupt routine with AH = 0x01:
Figure 29
The next character from the keyboard buffer is extracted by setting the AH register to 0x00. Whether no characters are available, the routine waits until one will be:
Figure 30
The int 21h interrupt routine with AH = 0x2C is utilized to retrieve the current time. The result will be used in the Randomize library function:
Figure 31
The program can close a file specified by the BX register using the same interrupt routine with AH = 0x3E:
Figure 32
The program can create a file whose name is stored in the DS:DX registers by setting the AH register to 0x3C:
Figure 33
The verify flag specifying whether all disk writes should be verified after writing, is extracted by setting AH = 0x54:
Figure 34
The executable extracts device information using the same interrupt routine with AH = 0x44 and AL = 0x00:
Figure 35
The current file position for a file specified by the BX register can be modified by setting the AH register to 0x42:
Figure 36
The program terminates its execution using the same interrupt routine with AH = 0x4C:
Figure 37
The DOS executable can read data from a file or device by setting the AH register to 0x3F:
Figure 38
The DOS executable can write data to a file or device by setting the AH register to 0x40:
Figure 39
The program writes a character to the standard output using the int 21h interrupt routine with AH = 0x06:
Figure 40
The Ctrl-Break interrupt handler is modified using the int 21h interrupt routine with AH = 0x25:
Figure 41
The program reads a byte from the interrupt mask register using the IN instruction:
Figure 42
A byte from the keyboard buffer can be read using the same instruction as above:
Figure 43
The executable turns the speaker on using the following instructions:
Figure 44
The speaker can be turned off using similar instructions:
Figure 45
The DOS executable reads the 6845 index port and then reads data using the IN instruction:
Figure 46
The program reads a value from the VGA status register using the IN instruction:
Figure 47
The executable moves the sequencer address register 0x3C4 to DX, and then it sets the memory mode:
Figure 48
The executable selects the graphics controller registers 0x3CE, and then it sets the mode register:
Figure 49
The program reads the CRT controller register 0x3D4, and then it accesses the underline location register:
Figure 50
A byte from the Game/Joystick I/O port 0x201 can be read using the IN instruction:
Figure 51
The DOS executable suspends/enables the interrupts, gets the 8259 end-of-interrupt value, and sends it to the 8259 interrupt controller using the following commands:
Figure 52
The following instructions can be used to disable all external interrupts except the system timer interrupt:
Figure 53
The program generates sound in the game utilizing OUT instructions, as highlighted below:
Figure 54
Before running the above instructions, the executable sends a control byte (10110110b) to port 43h:
Figure 55
The LED bits can be modified by sending a byte to port 60h, which updates the LEDs on the keyboard. The Capslock LED, Numlock LED, and Scroll lock LED are set to off:
Figure 56
The game verifies if a key is pressed or not using the following commands:
Figure 57
The program sets up a VGA color palette by sending the color number to port 3C8h and the red intensity, green intensity, and blue intensity to port 3C9h:
Figure 58
Figure 59
The DOS executable sends bytes to 6845 index port using the following instructions:
Figure 60
It reads the original value from the sequencer data register 0x3C5, turns off chain 4 (bit 3), turns off odd/even (bit 2), and writes the new value back to the register:
Figure 61
The file reads the original value from the graphics controller data register 0x3CF, turns off odd/even (bit 4), and writes the new value back to the register:
Figure 62
The program reads the original value from the CRT controller internal registers 0x3D5, turns off doubleword (bit 6), and writes the new value back to the register:
Figure 63
The Palette registers [0:F] are used to map text attributes or pixel color input values to the 256 possible colors available:
Figure 64
The DOS executable triggers the timer chip by writing any value to Game I/O port 201h:
Figure 65
The executable allocates new memory on the heap by calling the GetMem function:
Figure 66
The interrupt vector can be retrieved and then modified using the GetIntVec and SetIntVec routines:
Figure 67
The program extracts the number of command-line parameters by calling the ParamCount function:
Figure 68
The values of the command-line arguments can be retrieved using the ParamStr routine:
Figure 69
The DOS version can be extracted using the int 21h interrupt routine with AH = 0x30. The DOS major version is compared with 3:
Figure 70
References
https://www.freepascal.org/docs-html/rtl/
http://spike.scu.edu.au/~barry/interrupts.html
http://vitaly_filatov.tripod.com/ng/asm/
https://www.plantation-productions.com/Webster/www.artofasm.com/DOS/
http://soooh.com/book/delphi/%E7%AA%97%E4%BD%93/MODE-X%20%E4%BF%A1%E6%81%AF.HTM
https://01.org/sites/default/files/documentation/snb_ihd_os_vol3_part1_0.pdf
http://copleyservices.com/SM3110_Technical_Reference.pdf
Article Link: Reverse Engineering an old Mario & Luigi game for fun – CYBER GEEKS