Reverse Engineering
The Great Escape
BY DAVID THOMAS — January 2016

First, Let's Talk About Saints Row 3

The Great Escape

• 1986 isometric 3D prison break game for the 48K ZX Spectrum

• You play a POW trying to escape from a nazi prison camp

• One of the best-regarded Spectrum games

• Later ported to the PC, CPC, C64

• Created in Liverpool by Denton Designs who went on to make its sequel: Where Time Stood Still

Specify Sinclair Spectrum Specifications

• 8-bit Z80 CPU @ 3.5MHz
• 16K ROM, 48K RAM
• 256x192 1bit-per-pixel screen (weird layout)
• Each 8x8 block can choose two colours from a set of 16
• Sound: on/off beeper buzzer

SHOW THEM THE GAME DAVE

DAVE SHOW THEM THE GAME

SHOW THEM DAVE THE GAME

Rippity Doo-Dah

How do we get started?

 

Dumped the game executable

Located all bitmaps and masks with a graphics ripper tool

Looked for any strings (found none...)

Looked for any other patterns (lookup tables etc.)

 

Anything which looked like random noise: probably instructions

Commence Disassemblifications

I used IDA Pro initially

 

- Interactive disassembler

- Can handle Z80

- Eye wateringly expensive (>£2K)

- Fortunately my employer has a licensed copy

 

But quickly got annoyed with it crashing and not having undo

 

Wrote an IDAPython script to automate the marking up of the executable

Fog O' War

Still unclear: which locations are genuine instructions?

Used a Spectrum emulator with profiling output to see which locations really are instructions

Captured this profile and pulled it into IDA Pro as comments

 

This took me down routes like:

- Some graphics data is jumped into... wtf?

- Aha! Some of the graphics, once plotted to the screen, become scratch space

SkoolKit

All this IDA Pro business got a bit painful

 

Discovered that the guy who took classics Skool Daze and Back To Skool apart and rewrote them in Python has a kit called SkoolKit for pulling apart Speccy games

 

Sort of a meta-assembler

 

I immediately switched allegiance

 

SkoolKit lets me output assembly listings and HTML cross-referenced disassemblies from one source

Slogging

From here on it's mainly slogging away, pulling each function apart and decoding the game's data formats

 

I decided to not write plain English comments on the assembly but instead to use C-style pseudocode

 

Reversing results in a scatty approach: discoveries in one function can impact elsewhere in the code

Often end up hopping around the disassembly and risk ending up with a hairball patch with little cohesion then spend time splitting the patch up into meaningful commits

Getting Somewhere?

Eventually the C-style pseudocode reaches a point where most of it makes sense and it ought to be compilable

 

Started marshalling it into C files in an Xcode project

Added a virtual ZX Spectrum library, screen handling,

The resultant code becomes The Great Escape in C

Current State (Jan 2016)

Disassembly can rebuild the original game

- Commentary suffers from being written in a pseudo-C style

 

C port starts up but gets into a weird state and goes nuts

- Hits an assert which Can't Happen(tm)

- I could well have mis-translated or omitted something

 

Recently disassembled the PC version using IDA Pro

- Pretty similar, fixes most bugs I'd spotted

- There's a German version of the game!

Sources & Legals

I contacted the game's author John Heap via LinkedIn

- Must be weird for him: imagine if a lunatic starting disassembling the code you're writing now in 25 years' time

- He said the original source is probably in landfill by now :-(

- Gave me some details about the original 68K dev kit

 

I decided to ignore the legal implications of this project

- Ownership is complicated

- I'd assumed it went Ocean -> Ubisoft but the rights reverted

- Rare Ltd. might now have the rights to the game

- Does anyone care?

- Cost of lawyer to find out > value of project

Links

The Great Escape game entry on World of Spectrum:

http://www.worldofspectrum.org/infoseekid.cgi?id=0002125

 

My reverse engineering project on github:

https://github.com/dpt/The-Great-Escape

 

The cross-referenced disassembly output from above:

http://dpt.github.io/The-Great-Escape/

 

My rebuild in C project:

https://github.com/dpt/The-Great-Escape-in-C

Alternative Load Screen by Craig Stevenson