Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

IVTUTIL: investigating Apogee's Bio Menace BUG - part1/2 (Users)

posted by Arjay(R), 14.12.2009, 17:02
(edited by Arjay on 14.12.2009, 18:21)

A recent conversation with Rugxulo made me aware of 2 interesting things:

1) That prior 3D Realms recent problems :-( they kindly released the old Apogee game Bio Menace as a 2005 "Christmas present" to the world.

2) That unfortunately "Bio Menace" contained some sort of Interrupt Vector bug that had resulted in a 3rd party patch being created which 3D Realms had apparently "checked" and then included within their release ZIP file along with the rather strange advice of "only use" DOSBOX to run the game.

Hmm, very intriguing as from what I remembered this game wasn't a PC booter and secondly Apogee/3D-realms programmers couldn't have let that type of bug slip through, twice?

I also thought this would be an interesting opportunity to provide a real world example of where IVTUTIL is useful in investigating these situations.

So obviously first question - what is this infamous Bio Menance bug ?
Well a few quick Internet searches, soon gave me the apparent answer and the following text from the README.TXT of BIOPATCH.ZIP by emmzee (Darren Hewer) of http://www.dosgames.com/ provides a particularly helpful high level explanation as he discovered and provided the first workaround to the "bug":

Original post on the DOSBox forum about this patch:

"hell, [bio menace] games are buggy... they do some weird things with the interrupt table (comparing things that dont make any sense). I have attached a small patch which has to be started in dosbox before one of those games are executed. it's a simple fix writing the value 0000 at the memory address 0000:0006. Works with all three bio menaces. stupid games..."


Ok address 0000:0006 well that's within the interrupt vector table and just happens to be part of the address of Interrupt 01h which is the single step interrupt for debugging software this immediately told me that this likely to be no bug at all - in the sense that Bio Menance expects to find this not pointing to a valid handler, so it appears to be be very basic anti-debugging code designed into the game on purpose but not great; Indeed I guess the programmer Jim Norwood figured that no one could have a pointer to a single step debugger in Segment 0000h ;-)

So from the high level perspective all that was apparently required to address this issue was a very simply short .COM program which did the following:

1) Safely stored the original value of Interrupt 01h
2) Reset Interrupt 01h to 0000:0000 using DOS to do it
3) Launch the appropriate Bio Menance game via DOS
4) On exit from the game, restored the original Interrupt 01h value
5) Returned to the operating system safely.

Ok, so what does emzee's (Darren)'s BioPatch.exe do?
Well at 2,240 bytes I was thinking it was probably a TSR/loader. Well let use IVTUTIL to help us find out:

Firstly we use IVTUTIL to capture the current IVT before running BioPatch.exe and then running IVTUTIL again afterwards:

C:\BIOMEN>ivtutil mem ivtsave1.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE1.DAT
Conversion Type: MEM2DAT

C:\BIOMEN>biopatch
Dosbox Bio Menace 1-2-3 patch active.

C:\BIOMEN>ivtutil mem ivtsave2.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE2.DAT
Conversion Type: MEM2DAT



We can then use ivtutil to convert these our Interrupt Vector Table saves into easy to read text files:

ivtutil ivtsave1.dat ivtsave1.txt
C:\BIOMEN>ivtutil ivtsave1.dat ivtsave1.txt

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename: IVTSAVE1.DAT
OUTPUT filename: IVTSAVE1.TXT
Conversion Type: DAT2TXT

C:\BIOMEN>ivtutil ivtsave2.dat ivtsave2.txt

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename: IVTSAVE2.DAT
OUTPUT filename: IVTSAVE2.TXT
Conversion Type: DAT2TXT

C:\BIOMEN>


We can then easily view/read these files together in a multiple text file viewer and then toggling between them we can easy see what is happening, e.g:


C:\BIOMEN>EDIT IVTSAVE*.TXT

(to save forum space I have combined the 2 important parts of the files below)

INT    VECTOR    POINTS TO       INT    VECTOR    POINTS TO
---    ------    ---------       ---    ------    ---------
$00   0070:1055             ---> $00   0070:1055
$01   0070:018B             ---> $01   0000:018B


Note: I plan to shortly release a simple IVT binary compare util which will look something like this as I have found myself doing this many times!

Ok. So basically as per emmzee's documentation all he is doing is zeroing a single word (0000h) in the segment part of Int 01h allowing the game to run and then afterwards he restores Int 01h to its original value.... ah oh dear no he doesn't, tsk! Still importantly his initial work identified the problem and he provided a patch as a workaround, so we can forgive him ;-)

After then reading through the rest of the "Bio Menace Bug - Solved" forum thread on emmzee (Darren)'s website here and here I spotted on the 2nd page of this thread references to a newer patches available over on the forums at http://vogons.zetafleet.com/ Great stuff! Perhaps someone else has written a patch which restores Interrupt 01h? Well let's find out!

Page1:see reference to bio.rar which contains bio.com
Page2: see reference to BMFIX.ZIP which contains BMFIX.COM

So how do BIO.COM and BMFIX.COM fair up to my analysis with ivtutil?

Well firstly bio.rar (bio.com) was compressed with a new RAR compression method that none of my existing RAR extraction tools supported (certainly none for DOS!), so I thus decided to take a look at BMFIX.COM first of all.

IVTUTIL could have assisted here but the program itself was so short that I decided it was just as quick to study it in a hex editor without using IVTUTIL:


00000000: 8EC0                         mov    es,ax
00000002: 6626C706040018006F00         mov    d,es:[00004],0006F0018
0000000C: C3                           retn


Ok what is this source code doing? Well firstly what struck me immediately was the 66h opcode = 386 only code.. thus if like me you like to use old hardware to play things, don't run this program if you are using a 286 etc.
As for the code well it changes Int 01h's vector to point to 006F:0018 which certainly isn't an IRET that's for sure! And again no code to save and then restore Int 01h back to its original value after playing Bio Menance as it does not provide a loading mechanism and vector 01h saving/restore mechanisms.

The RET takes us back to the Int 20h at the start of the PSP for the program. As for what is at 006F:0018 well its into the DOS device area, at the time of writing I don't know of the top of my head or actually care what it is, other than to know that for multiple DOS versions it isn't the best place to point Int 01h at.

After downloading the latest version of RAR from http://www.rarlab.com/ (remember as above I said the DOS versions wouldn't even touch BIO.RAR), I then took a look at bio.com. A quick view of the code for BIO.COM made me realize it was a million miles away from what I would expect it to be doing., but as above IVTUTIL is our friend in seeing the end results on this one also:


C:\BIOMEN>ivtutil mem ivtsave3.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE3.DAT
Conversion Type: MEM2DAT
C:\BIOMEN>bio
BIOMENACE Patch for DOSBox 0.61-0.65 loaded!
Don't use it with other games!
C:\BIOMEN>ivtutil mem ivtsave4.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE4.DAT
Conversion Type: MEM2DAT


Again for the sake of simplicity here I have combined the resulting text files:


INT    VECTOR    POINTS TO       INT    VECTOR    POINTS TO
---    ------    ---------       ---    ------    ---------
$00   0070:1055             ---> $00   0070:1055
$01   0070:018B             ---> $01   006F:0014
$02   038D:0016             ---> $02   006F:0014
$03   0070:018B             ---> $03   006F:0014
$04   0070:018B             ---> $04   006F:0014

 

Complete thread:

Back to the forum
Board view  Mix view
15108 Postings in 1358 Threads, 245 registered users, 15 users online (0 registered, 15 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum