Thursday, July 31, 2008

Imaging a real Windows 98 box into a VM

Hopefully this will help others who try this. If this rambles, realize that you're getting the short version. :)

Like in lots of families, my son has an older machine, an old hand-me-down. It's a 533 MHz Celeron with 255MB of RAM running Windows 98 and can, barely, browse the modern web.

I recently upgraded my home Linux server, putting it into the shell of a my Windows XP desktop that was a few years old. (The machine is great, but I'm just not using it with my laptop.) It's 1.8 GHz with 512MB of RAM. It just sits around serving up files, and I don't use its console at all. So this should be usable by my son to run a VM, and I think at a better quality.

Lots of people in person and on the Internet recommend VMware's p2v program, which had been replaced with VMware convertor. It's "experimentally supported" on Windows 98. I tried several times to install version 3.0.3 and 3.0.2 update 1. Both would be installed 99% of the way and then the installer would unwind everything, without explanation of failure. I even tried installing on my laptop and then transferring the files over. I didn't expect this to work, and it didn't. So much for the Convertor.

So, down into the bits. I boot the Windows 98 machine with a SystemRescueCD (using a version that is a few years old), and transfer an image over to my server.

% dd if=/dev/hda1 | ssh -p 3022 dweber@192.168.33.40 dd of=disk.img

One tough thing to figure out was all of VMware's software, and I can't tell which are free easily. My server already had a very old copy of VMware Workstation, which I used to create a virtual machine. The options for a disk were to create a new virtual disk, use an existing one, or use a physical file system.

That physical file system option intrigured me for a while, since in theory I had the entire filesystem transferred over. But this option only seems to work with an actual 100% physical system, like /dev/hda3. So scratch that.

I don't really have an option for "importing a disk image." But I've got a plan. I make a new disk.

This VMware Workstation is so old that I can't even compile the VMware modules. It's not used to where Linux's latest kernel source file layout works, and I spent quite some time trying to figure out if I could outsmart it, with the help of web searches on my error messages.

Well, the answer was to load up VMware Player, which is free. I boot up my VM with the same SystemRescueCD in its CDROM drive. Start up sshd, and then I go my server and transfer the image back.

% dd if=disk.img | ssh root@192.168.162.100 dd of=/dev/hda1

I rebooted and the machine wouldn't book. Which was pretty obvious: I never set up an MBR. D'oh.

Okay, so I go back to that first dd command and do the whole thing again, this time with /dev/hda instead of /dev/hda1. I only transfer over the first 4GB of the disk, because I don't really care that much about everything working, just something, especially the start.

Now I was able to get a boot, but there were repeated disk errors. Probably because I transferred to a disk that wasn't of the same configuration of cylinders, heads, and sectors.

dd2vmdk looks like an awesome tool for changing the raw disk image into a vmdk file that VMware can use. The how-to screens gave me hope, but the tool is busted. :(

I made a brand new VM, this time with files that I downloaded thanks to the instructions at swap zone, and the URLs to vmdk and vmx files it had. These were invaluable, especially because it told me how to get the precise cylinder/head/sector information from the first disk and build it up on the second. Those instructions talk about using a raw disk, but I just needed to create an dumb image file instead of that. The VMDK spec from VMware helped to understand all the syntax.

(One really tricky bug that I ran into was that I was geting an error message saying "File not found: windows.vmdk". Eventually I figured out that it wasn't having trouble finding windows.vmdk, but rather that some file referred to by the vmdk file was missing.)

So now I finally had a correct VM built. I booted back into a rescue CD, and transferred in the disk image in chunks. (I only had 1 rescue CD, so I moved 20 GB from the Windows 98 machine to my server, and then from the server into the VM. As I type this I realize I could've just created an iso file with dd and skipped that step. Oops. If you do it all at once, you don't have to learn the difference between "skip" and "seek" in dd.)

I booted up and got a VM! It's Windows 98! yay!

Things were slow as puke and the graphics sucked, and I couldn't install VMware Tools with VMware Player. So I looked around VMware site some more and saw that VMware Server is free. I probably should have done this part long ago.

Once that installs, and VMware tools installs, I finally have a good running Windows 98 System.

Oddly, I probably gave the system too much RAM, because at 196 MB it was swapping my server. So I dropped it back down to 128 MB and things ran faster. His UB Funkeys, instead of crawling like a legless dog, now crawls like a two-legged dog. Well, it still feels faster to him, and now he has a better video card, too.

If I could send a message back to myself two weeks ago, I would say:

  • just use VMware server, it's free and full-featured
  • download the .vmx and .vmdk files from swap disk
  • get a second rescue CD, or image the first
Happy imaging!

Thursday, July 10, 2008

Strider Password Generator

I have fun with classic games. I grabbed the Capcom Classics Mini Mix for the Game Boy a while back, mostly for Bionic Commando, but Strider was a nice bonus.

Back in the 1980's, game consoles didn't have memory sticks, and it was rare for a cartridge to actually have persistent storage. So most adventure games used "passwords" to store the game state: a long string of digits that you could re-enter to continue playing later.

Some were very easy to reverse-engineer; MegaMan 2 barely even bothered making it tough, and MegaMan 3 wasn't that much trickier. Some were obviously complicated -- Metroid, for instance, although Metroid has such a big following that many people have analyzed the entire ROM, giving direct access to the code for the password so that the checksum could be analyzed.

Strider fits a bit in the middle. The password at the start of the game is AAIA AAAA AAIA, practically begging to be understood. Trying to change it to all A's fails, but it's technically a valid password, just one the game is hardwired not to accept.

Each letter of the password can range from A to P, making it one hex digit. So we're looking at a total of just six bytes. There's a little bit of slack available, because 26 bits could encode all possible game states. I'll refer to each letter in the password as a nibble.

Slowly iterating through the game state and comparing passwords takes a while, but the simple form is that a password starts with all A's, and then adds values in pairs, using the second-last nibble as a very rough checksum.

  • Keys: Add 8, 4, 2, 1 for keys 1, 2, 3, 4 to the third and eleventh nibbles.
  • Boots: Add 8, 4, 2 for Aqua, Magnet, Attack to the fifth and eleventh nibbles.
  • Disks: Add 8, 4, 2, 1 for disks 1, 2, 3, 4 to the seventh and eleventh nibbles.
  • Disks Analyzed: Add 8, 4, 2, 1 for disks 1, 2, 3, 4 to the ninth and eleventh nibbles.
So AAIA AAAA AAIA is the password for having key 1, which you have when the game begins. The game doesn't let you start without key 1, which is why the AAAA AAAA AAAA password is rejected.

So if you forget all the above, you can just change the I's in the default password into P's and you'll start with 4 keys. Pretty quick for skipping ahead in the game.

If you're familiar with the game you'll notice that I've left some other stuff out, including the keys and disks that are higher than 4. These aren't nearly as simple, but I'll give it a shot. Really, the Javascript code might be clearer.

  • For each level above 1: Add 1 to all nibbles, but 2 to the second and 0 to the eleventh.
  • Key 5: Add 14 to all nibbles, except 10 to the fourth, 0 to the sixth, and 0 to the eleventh.
  • Disk 6: Add 4 to all nibbles, except 8 to the eighth, and 0 to the eleventh.
  • Disk 5: Double the previous.
  • Analyzed Disk 6: Add 4 to all nibbles, except 8 to the tenth and 0 to the eleventh.
  • Analyzed Disk 5: Double the previous.
  • Plasma Arrow: Add 1 to all nibbles, but 2 to the sixth and 0 to the eleventh.
  • Red Dragon Open: Add 1 to all nibbles, but 2 to the fourth and 0 to the eleventh.
  • Fought Kain: Double the previous.
So there's one common theme to this set: adding 0 to the eleventh nibble. If you look at it sideways and squint, you can kind of see a connection between the values for disks 5-6 and disks 1-4. The key 5 value is totally bonkers.

One obvious point comes up that when you are adding all these numbers, you get overflows. The rule is just to toss them away, except for the first nibble. However many times it overflows, you increment the eleventh nibble that many times. This is why key 5 is described as adding 14 instead of subtracting 2.

By messing with game data like this, you can easily create unwinnable games:

  • Often times the game will lock you into an area to level up and not let you leave until you pick up a key item. If you already have the item but not the level, the game won't let you leave.
  • If you give yourself all the boots and grab key 4 out of the upper room of Kazakh, you'll be stuck in a room you can't exit without key 2.
  • If you go to the Red Dragon without both Slide In and the Magnetic Boots, you can't get to the boss. And I don't think you can defeat that boss if you don't have Plasma Arrow.
The level-up logic is pretty straightforward: if you accomplish something to get you to level X, your level is bumped up to X -- unless it's already higher, in which case you stay at that level. Sometimes I found the game awarding me with a level up even when my level stayed the same. ("BKAP BDAN ANAB" might do this, but my notes are messy right there.) Which level you are at determines the "story" you get at the password screen.

"BBJC BBEB EBOB" will generate an interesting bug if you analyze disk 4. (I've found another way of getting this bug, with Kain instead of Matic, but don't recall exactly the code path I took to get to it.)

I can't quite figure out the logic for what areas you can travel to after analyzing disks. I do know that once "Red Dragon" is checked, though, that's the only place you can ever travel to. For a real challenge, try doing that at level 2 with only Plasma Arrow and Magnetic Boots.

Feel free to play around with this. Let me know if you find any interesting stuff.

PLEASE ENABLE JAVASCRIPT

Selects your level, HMax, Emax, S.level, Trick

Keys: 1    2    3    4    5   

Disks: 1    2    3    4    5    6   

Disks Analyzed: 1    2    3    4    5    6   

Boots: Aqua    Magnet    Attack   

Others: Plasma Arrow    Fought Kain    Red Dragon Open