Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to index page
Thread view  Board view
Arjay(R)

14.12.2009, 17:02
(edited by Arjay, 14.12.2009, 18:21)
 

IVTUTIL: investigating Apogee's Bio Menace BUG - part1/2 (Users)

A recent conversation with Rugxulo made me aware of 2 interesting things:

1) That prior 3D Realms recent problems :-( they kindly released the old Apogee game Bio Menace as a 2005 "Christmas present" to the world.

2) That unfortunately "Bio Menace" contained some sort of Interrupt Vector bug that had resulted in a 3rd party patch being created which 3D Realms had apparently "checked" and then included within their release ZIP file along with the rather strange advice of "only use" DOSBOX to run the game.

Hmm, very intriguing as from what I remembered this game wasn't a PC booter and secondly Apogee/3D-realms programmers couldn't have let that type of bug slip through, twice?

I also thought this would be an interesting opportunity to provide a real world example of where IVTUTIL is useful in investigating these situations.

So obviously first question - what is this infamous Bio Menance bug ?
Well a few quick Internet searches, soon gave me the apparent answer and the following text from the README.TXT of BIOPATCH.ZIP by emmzee (Darren Hewer) of http://www.dosgames.com/ provides a particularly helpful high level explanation as he discovered and provided the first workaround to the "bug":

Original post on the DOSBox forum about this patch:

"hell, [bio menace] games are buggy... they do some weird things with the interrupt table (comparing things that dont make any sense). I have attached a small patch which has to be started in dosbox before one of those games are executed. it's a simple fix writing the value 0000 at the memory address 0000:0006. Works with all three bio menaces. stupid games..."


Ok address 0000:0006 well that's within the interrupt vector table and just happens to be part of the address of Interrupt 01h which is the single step interrupt for debugging software this immediately told me that this likely to be no bug at all - in the sense that Bio Menance expects to find this not pointing to a valid handler, so it appears to be be very basic anti-debugging code designed into the game on purpose but not great; Indeed I guess the programmer Jim Norwood figured that no one could have a pointer to a single step debugger in Segment 0000h ;-)

So from the high level perspective all that was apparently required to address this issue was a very simply short .COM program which did the following:

1) Safely stored the original value of Interrupt 01h
2) Reset Interrupt 01h to 0000:0000 using DOS to do it
3) Launch the appropriate Bio Menance game via DOS
4) On exit from the game, restored the original Interrupt 01h value
5) Returned to the operating system safely.

Ok, so what does emzee's (Darren)'s BioPatch.exe do?
Well at 2,240 bytes I was thinking it was probably a TSR/loader. Well let use IVTUTIL to help us find out:

Firstly we use IVTUTIL to capture the current IVT before running BioPatch.exe and then running IVTUTIL again afterwards:

C:\BIOMEN>ivtutil mem ivtsave1.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE1.DAT
Conversion Type: MEM2DAT

C:\BIOMEN>biopatch
Dosbox Bio Menace 1-2-3 patch active.

C:\BIOMEN>ivtutil mem ivtsave2.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE2.DAT
Conversion Type: MEM2DAT



We can then use ivtutil to convert these our Interrupt Vector Table saves into easy to read text files:

ivtutil ivtsave1.dat ivtsave1.txt
C:\BIOMEN>ivtutil ivtsave1.dat ivtsave1.txt

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename: IVTSAVE1.DAT
OUTPUT filename: IVTSAVE1.TXT
Conversion Type: DAT2TXT

C:\BIOMEN>ivtutil ivtsave2.dat ivtsave2.txt

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename: IVTSAVE2.DAT
OUTPUT filename: IVTSAVE2.TXT
Conversion Type: DAT2TXT

C:\BIOMEN>


We can then easily view/read these files together in a multiple text file viewer and then toggling between them we can easy see what is happening, e.g:


C:\BIOMEN>EDIT IVTSAVE*.TXT

(to save forum space I have combined the 2 important parts of the files below)

INT    VECTOR    POINTS TO       INT    VECTOR    POINTS TO
---    ------    ---------       ---    ------    ---------
$00   0070:1055             ---> $00   0070:1055
$01   0070:018B             ---> $01   0000:018B


Note: I plan to shortly release a simple IVT binary compare util which will look something like this as I have found myself doing this many times!

Ok. So basically as per emmzee's documentation all he is doing is zeroing a single word (0000h) in the segment part of Int 01h allowing the game to run and then afterwards he restores Int 01h to its original value.... ah oh dear no he doesn't, tsk! Still importantly his initial work identified the problem and he provided a patch as a workaround, so we can forgive him ;-)

After then reading through the rest of the "Bio Menace Bug - Solved" forum thread on emmzee (Darren)'s website here and here I spotted on the 2nd page of this thread references to a newer patches available over on the forums at http://vogons.zetafleet.com/ Great stuff! Perhaps someone else has written a patch which restores Interrupt 01h? Well let's find out!

Page1:see reference to bio.rar which contains bio.com
Page2: see reference to BMFIX.ZIP which contains BMFIX.COM

So how do BIO.COM and BMFIX.COM fair up to my analysis with ivtutil?

Well firstly bio.rar (bio.com) was compressed with a new RAR compression method that none of my existing RAR extraction tools supported (certainly none for DOS!), so I thus decided to take a look at BMFIX.COM first of all.

IVTUTIL could have assisted here but the program itself was so short that I decided it was just as quick to study it in a hex editor without using IVTUTIL:


00000000: 8EC0                         mov    es,ax
00000002: 6626C706040018006F00         mov    d,es:[00004],0006F0018
0000000C: C3                           retn


Ok what is this source code doing? Well firstly what struck me immediately was the 66h opcode = 386 only code.. thus if like me you like to use old hardware to play things, don't run this program if you are using a 286 etc.
As for the code well it changes Int 01h's vector to point to 006F:0018 which certainly isn't an IRET that's for sure! And again no code to save and then restore Int 01h back to its original value after playing Bio Menance as it does not provide a loading mechanism and vector 01h saving/restore mechanisms.

The RET takes us back to the Int 20h at the start of the PSP for the program. As for what is at 006F:0018 well its into the DOS device area, at the time of writing I don't know of the top of my head or actually care what it is, other than to know that for multiple DOS versions it isn't the best place to point Int 01h at.

After downloading the latest version of RAR from http://www.rarlab.com/ (remember as above I said the DOS versions wouldn't even touch BIO.RAR), I then took a look at bio.com. A quick view of the code for BIO.COM made me realize it was a million miles away from what I would expect it to be doing., but as above IVTUTIL is our friend in seeing the end results on this one also:


C:\BIOMEN>ivtutil mem ivtsave3.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE3.DAT
Conversion Type: MEM2DAT
C:\BIOMEN>bio
BIOMENACE Patch for DOSBox 0.61-0.65 loaded!
Don't use it with other games!
C:\BIOMEN>ivtutil mem ivtsave4.dat

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename: IVTSAVE4.DAT
Conversion Type: MEM2DAT


Again for the sake of simplicity here I have combined the resulting text files:


INT    VECTOR    POINTS TO       INT    VECTOR    POINTS TO
---    ------    ---------       ---    ------    ---------
$00   0070:1055             ---> $00   0070:1055
$01   0070:018B             ---> $01   006F:0014
$02   038D:0016             ---> $02   006F:0014
$03   0070:018B             ---> $03   006F:0014
$04   0070:018B             ---> $04   006F:0014

Arjay(R)

14.12.2009, 17:06
(edited by Arjay, 14.12.2009, 18:32)

@ Arjay
 

IVTUTIL: investigating Apogee's Bio Menace BUG - part 2/2

Conclusions
-----------
Well firstly thank you for the authors of these patches in helping people run Bio Menance on modern hardware. "Technically" although not to my own liking, all of these patches do provide a way of allow BioMenance to run. However my advice to anyone looking to use them is to use them only if you are using a single session DOSVM just to run Bio Menance, in otherwords if you are using these patches outside of DOSBOX and particularly if you are using them to run other programs after using them please be aware of their watchouts!

So what are the alternatives to the existing patches?
-----------------------------------------------------
Well in theory we should be able to use IVTUTIL undocumented interrupt patching feature. (Note: it is undocumented from the command-line to help force people to read IVTUTIL's text file before attempting to using it).

Well firstly we can use IVTUTIL to save what the "current" value of Int 01h is using this command (best to do this using a standard configuration):

C:\BIOMEN>ivtutil mem current.txt

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:   MEMORY.MEM
OUTPUT filename:  CURRENT.TXT
Conversion Type: MEM2TXT

C:\BIOMEN>


and then we can copy out the value of Int 01h into a IVTUTIL patch file, e.g:

[Patches2VectorTable]
Int01=0070:018B


We should then in theory just be able to write another IVTUTIL patch file which say sets the interrupt vector to 0000:0000 which although not ideal, should be ok:


[Patches2VectorTable]
Int01=0000:0000


and then simply running IVTUIL as follows:
C:\BIOMEN>ivtutil biopatch.ivt mem

However...THIS WILL CURRENTLY NOT WORK! - there is a slight problem here in, as for safety I designed IVTUTIL so that the patching feature could NOT be used to set interrupts to null pointers!! I can now see that this might be useful at times.... so the next version of IVTUTIL will support this by removing that safety feature which prevents this from working today. Saying this it is still possible to use IVTUTIL to provide a patch if you know of a good non-null pointer value in Segment 0000h e.g. preferably a IRET (C3h) return to which to set Int 01h (for safety!). That said the value below will also work (but again I don't like this):


[Patches2VectorTable]
Int01=0000:FFFF


Thus you could then do:
C:\test\BIOMEN>ivtutil biopatch.ivt mem

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename: BIOPATCH.IVT
OUTPUT filename:   MEMORY.MEM
Conversion Type: IVT2MEM
*** Use this undocumented function with extreme care!!!! ***
INI SECTION: [PATCHES2VECTORTABLE]
PATCHing current Interrupt $01 from 0070:018B to 0000:FFFF
*** Use this undocumented function with extreme care!!!! ***

C:\BIOMEN>(run Bio Menance)
C:\BIOMEN>ivtutil orgint1.ivt mem

IVTUTIL v1.00 - utility for processing/converting Interrupt Vector Table files
                Source and util released as PUBLIC DOMAIN by Richard L. James

INPUT  filename:  ORGINT1.IVT
OUTPUT filename:   MEMORY.MEM
Conversion Type: IVT2MEM
*** Use this undocumented function with extreme care!!!! ***
INI SECTION: [PATCHES2VECTORTABLE]
PATCHing current Interrupt $01 from 0000:FFFF to 0070:018B
*** Use this undocumented function with extreme care!!!! ***

C:\BIOMEN>


which will work... but I still don't like this. Thus I plan to find some time over Christmas to write a more portable safer patch for Bio Menance to take into consideration all DOS versions. I also am going to have a think about how I could improve the interrupt patching functionality in IVTUTIL.

Rugxulo(R)

Homepage

Usono,
15.12.2009, 01:16

@ Arjay
 

IVTUTIL: investigating Apogee's Bio Menace BUG - part 2/2

First of all, there are newer UnRAR tools for DOS (compiled by rr, no less!), but they require 386+. E.g. unrar38b.zip. The normal RAR is a dual mode DOS + OS/2 .EXE (EMX) (I think??), hence might need the EMX hack for JEMM386.

Anyways, back on topic, here's what I quickly wrote up (using QBix's BIO.COM) with some guidance by Eric Auer:


http://fd-doc.sourceforge.net/faq/cgi-bin/viewfaq.cgi?faq=incoming/1345


"3D Realms' BioMenace crashes when firing on an enemy"

rugxulo@NOSPAM.bellsouth.SPAMSUX.net / Tue May 1 17:15:29 2007


Hello,
   3D Realms (formerly Apogee) released BioMenace to be freeware in
late 2005. But, the DOSBox patch included with the BMFREEW.ZIP only
works with version DOSBox 0.63 (doh!).

If you want to run under old versions of DOSBox (before 0.70),
FreeDOS, DR-DOS, etc. you'll need to use this .BAT to create BIO.COM
and run that .COM before every game session. (MS-DOS doesn't need it.
"STACKS=9,256" in CONFIG.SYS should work around it. But feel free to
try anyways.) Oh, and have fun!   ;-)

P.S. Kudos to Jim Norwood for his excellent work!

------------------------------------------------------------------
@echo off
if exist %0.bat debug < %0.bat
if not exist %0.bat debug < %0
goto end

REM Tested w/ debug.exe from WinXP (MS-DOS 5?), Vista, & FreeDOS' debug.com
REM
REM BIO.COM patch written by Qbix for DOSBox :
REM http://vogons.zetafleet.com/
REM        iewtopic.php?t=11661&highlight=bio+rar
REM
REM Get BioMenace free (!) from here (needs 286 or better):
REM http://www.3drealms.com/menace/
REM
REM Run BIO.COM immediately before bmenace?.exe

n bio.com
rcx
72
a cs:100
mov    dx,0125
mov    ax,0900
int    21
mov    ax,006F
mov    ds,ax
mov    dx,0014
mov    ax,2501
int    21
inc    al
int    21
inc    al
int    21
int    21
inc    al
int    21
int    20
db "BIOMENACE Patch for DOSBox 0.61-0.65 loaded!",0a,0d
db "Don't use it with other games!$"


w
q
q

:end
------------------------------------------------------------------


I should've mentioned that, but I didn't think you were interested. :-D

Arjay(R)

15.12.2009, 11:25
(edited by Arjay, 15.12.2009, 11:45)

@ Rugxulo
 

IVTUTIL: investigating Apogee's Bio Menace BUG - part 2/2

> First of all, there are newer UnRAR tools for DOS (compiled by rr,
> no less!), but they require 386+.
That's ok I tend to use 386+'s myself... :) Thank you for the compile/link!

> Anyways, back on topic, here's what I quickly wrote up (using QBix's
> BIO.COM) with some guidance by Eric Auer:
>
> If you want to run under old versions of DOSBox (before 0.70),
> FreeDOS, DR-DOS, etc. you'll need to use this .BAT to create BIO.COM
> and run that .COM before every game session. (MS-DOS doesn't need it.

Thank you for sharing this additional info / QBIX's source so that others can also see it. To aid anyone who might be reading this who is starting out in assembler I have commented QBIX's source with links to more info; as well as also highlighting the minor BUG that this short program also contains:

a cs:100         ;  note as we are a .COM file, so CS=DS=ES=SS
mov    dx,0125   ;  Set DX pointing @ "BIOMENACE Patch for DOSBox" string
mov    ax,0900   ;  Print string via DOS function 09h
int    21        ;  Call DOS to print $ terminated string
mov    ax,006F   ;  Following code is to set Ints 01h to 04h to 006F:0014
mov    ds,ax     ;  Set our new Interrupt segment = 006F
mov    dx,0014   ;  Set our new Interrupt offset  = 0014
mov    ax,2501   ;  2501=Set Interrupt [DS:DX = address of new interrupt handler]
int    21        ;  Call DOS to set Int 01h to 006F:0014
inc    al        ;  al = 2
int    21        ;  Call DOS to set Int 02h to 006F:0014
inc    al        ;  al = 3
int    21        ;  Call DOS to set Int 03h to 006F:0014
int    21        ;  *** BUG!!!!  This Int 21h call is NOT needed! ***
inc    al        ;  al = 4
int    21        ;  Call DOS to set Int 04h to 006F:0014
int    20        ;  Terminate Program via Int 20h

;  ds:0125
db "BIOMENACE Patch for DOSBox 0.61-0.65 loaded!",0a,0d
db "Don't use it with other games!$"


> http://fd-doc.sourceforge.net/faq/cgi-bin/viewfaq.cgi?faq=incoming/1345
> "3D Realms' BioMenace crashes when firing on an enemy"

> P.S. Kudos to Jim Norwood for his excellent work!
Totally agree! For people unfamiliar with his other great games, please see the rap sheet for Jim Norwood over on the excellent http://www.mobygames.com/

Note: 006F:0014 is a direct link into the DOS kernel. I'm not sure what is there on DOSBox (as I don't use it) however I would not recommend using this patch outside of DOSBox as it makes direct assumptions with regards to the layout of the DOS kernel (always a bad idea). However this patch was specifically written for DOSBox and NOT other DOS variants, so the programmer (QBIX) can be forgiven!

> I should've mentioned that, but I didn't think you were interested. :-D
Ah but I was ! :)

Note: I now have some ideas how to incorporate safer interrupt patching and restoration for situations like this with regards to some other IVTUTIL related tools that already exist and others that I have planned to aid those involved with software preservation/OS/DOS development/general curiosity.

Back to index page
Thread view  Board view
15192 Postings in 1365 Threads, 250 registered users, 18 users online (1 registered, 17 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum