Open the door to the myth of the 64K program

Presumably everyone has seen the 64k display 3d and there is a sound program, the Lilac C version moderator Swordlea its anti-compilation, got 64K of the first layer of code, the following is my article in the Lilac:

These two days to learn the old Lee disassembly code, probably understand the entire code execution process, paste out with big
Home Exchange, I do not know the assembly is very familiar, there must be a wrong place, but also please Gao pointed out.

The whole code is divided into three parts, one is the entry function labeled Start, and the other is a letter labeled sub_155.
Number, this function mainly carries on some decoding the data operation, also has is the last big string of DB data, Swordlee
That's right, the code that really executes is these, before start and sub_155 is the first to extract the data,
Then jump back to the extracted code to start executing.

Start function:

seg000:0100 xor si, si
seg000:0102 mov di, 2000h
SEG000:0105 mov ch, 10h
Seg000:0107 Rep MOVSW
The function is to transfer 16 words from 0 to 2000h, which is not understood here, and I do not know why I started doing this.

SEG000:0109 mov ax, CS
seg000:010b Add ax, 200h
SEG000:010E Push AX
seg000:010f Push 113h
seg000:0112 RETF
Jump to the cs+200h:113h, as if to jump to the next sentence, here is not read.

SEG000:0113 Push CS
seg000:0114 Pop ds
seg000:0115 mov si, 1a1h
seg000:0118 mov di, 100h

Specifies that the source address is cs:1a1h, which is the beginning of the DB data sequence; The destination address is cs:100h, the DOS COM program directive
At the beginning, the next code is to take a byte out of SI, unzip it and put it into Di, which is obviously to process the DB data sequence
And then put it into the code area of the COM program, and finally jump to execute.

seg000:011b Push ES
seg000:011c Push di
...
seg000:0154 RETF
Start in the decompression after the jump to [Es:di], that is, seg000:100h execution (it is the extracted code sequence), only
Start execution of real code


SEG000:011D mov ax, 111h
SEG000:0120 mov bx, 1321h
Seg000:0123
seg000:0123 loc_123:;
SEG000:0123 mov [BX], ax
seg000:0125 Dec BX
seg000:0126 Dec BX
seg000:0127 Dec AX
seg000:0128 JNS Short loc_123

Place Word data starting at 1321h: 111h,110h,... 0h, which is used in the process of sub_155, may be a
What table to use for an decompression algorithm;

Then we started extracting:

SEG000:012A LODSW
seg000:012b Xchg Ah, AL
SEG000:012D mov cx, ax
SEG000:012F mov bp, 0FFFFh
seg000:0132
-----si->ax; Ah al exchange; cx=ax; bp = 0ffffh

seg000:0132 loc_132:;
seg000:0132;
seg000:0132 Call sub_155
seg000:0135 CMP Ax, 100h
seg000:0138 JZ Short locret_154
SEG000:013A JG Short loc_13f

-------Call Sub_155,ax to 100h when you jump to locret_154 (start end), Ax is greater than 100h to loc_13f


seg000:013c STOSB
seg000:013d jmp Short loc_132
seg000:013f;
-------Ax-and di; then go back to the upper loc_132 for the next DB processing
seg000:013f
seg000:013f loc_13f:;
seg000:013f Sub Ax, 0FFh
seg000:0142 Push AX
seg000:0143 Call sub_155
seg000:0146 Pop DX
seg000:0147 Neg Ax
SEG000:0149 mov bx, ax

-------Ax-=0ffh, and then call sub_155, BX = ax for the complement
seg000:014b
seg000:014b loc_14b:;
SEG000:014B mov al, Es:[bx+di]
SEG000:014E STOSB
seg000:014f Dec DX
seg000:0150 JNZ Short loc_14b
seg000:0152 jmp Short loc_132
seg000:0154;

--------Es:[bx+di]->al,ax->di, if (--DX)!=0 Repeat, otherwise jump to loc_132


This is an arithmetic process for each db byte of data. The sub_155 parameter is CX. Every time I'm going to solve
After the data is placed in Ax, the high and low bytes are exchanged, placed in CX, and then called sub_155, which is processed and placed in a memory that begins at seg000:0100h. Finally, start call RETF return to Es:di, is just said Seg000:0100h, at this time, this address began in memory is already a good command of decompression.

The sub_155 process only carries out a series of arithmetic operations, which assists in the decompression of start.

The whole process is like this, in the end this is not really the last we see the effect of the code executed, but also hope
I hope that Daniel can develop the extracted code to let us all long to see
-------

P.S. We use Ctrl-c to copy to debug, after the program has just started running, you can enter ESC back to debug, then we can use the U instruction to extract the extracted code, such as the first 20B code is as follows:

MOV Ax,cs

MOV Ds,ax

MOV di,4248

ADD ax,1000

Stosw

ADD ax,1000

MOV cx,0014

Stosw

INC AH

LOOP 0115

MOV Di,13ae

MOV Cx,1fde

.....

Because in the end is a COM program, so not more than 64K, if you are interested can get out:)