I examined this program carefully, and I found out that it utilizes interrupt vector table #82h.
It loads IVT #82h(0000:0208~020B) into ES:BX,
and then copies [ES:BX], [ES:BX+1], ..., [ES:BX+Fh] onto
[DS:197h], [DS:198h], ..., [DS:1A6h] respectively.
It assumes these addresses contain key scan codes.
Then it assert MSB of [DS:197h], ..., [DS:1A6h] and copy onto
[DS:1A7h], ..., [DS:1B6h]. (Pressing and Releasing Related Scancodes)
The problem is, default value of IVT 82(0000:0208~020B) is
0000:0000.
So I resolved this problem(not so satisfactory, but I have no idea
about other ways...) using debugger.
In detail,
-------------------------------------------------------
c:\savage> debug savage1.exe
-g1b
(register states omitted)
t
g8e
p
g30
t
g102
p
g43e
e ds:197
48 48 50 50 4b 4b 4d 4d 39 39 19 1 4f 0 0 32 c8 c8 d0 d0 cb cb cd cd b9 b9 99 81 cf 80 80 b2
g447
g=44A

(Now we can play the game using UP,DOWN,LEFT,RIGHT and SPACE key.)

> The problem is, default value of IVT 82(0000:0208~020B) is 0000:0000.

This vector pointing to zero is correct.
Maybe the loader (old.com) does the initialization (inserting the
keycode mapping).
old.com exploits some nice ad-tricks, especially the prefetch-queue,
which was only available on 80386 and below.

wd

Wow, Thank you so much.
Hmm, prefetch queue... I don't know much about that, but now I
smell the smoke.
By the way, what is AD-trick? Is it opcode AD(lodsw)?
I am working with the game(savage1.exe), but I found out that
the instructions are encrypted or packed!

29B7:0000 EB0A JMP 000C
...
29B7:0026 FB STI
29B7:0027 E86500 CALL 008F
29B7:002A E8D600 CALL 0103
29B7:002D E88D00 CALL 00BD
29B7:0030 E8AD00 CALL 00E0

I traced into CALL 0103, and then there were so complicated
memory-related works. 🙁 mov and lodsw and stosw and arithmetics!
I have no idea what the heck this is all about.
I have tried to uncompress this file using DIET, PKLITE, etc., but couldn't.

Do you have any idea about how I can decrypt the instructions and
modify the executable file, NOT MEMORY, or dump memory into a file?

> By the way, what is AD-trick? Is it opcode AD(lodsw)?
Anti debugger trick. A paranoid programmer was trying to protect the programm against hacking/debugging. Such things sometimes appear, in most cases IMHO rather showing off programmers skills then serving any real purpose.

Antidebugger measures often lead to problems when the program is run on newer processor/newer operating system/in emulator.

Mirek

did you try unp ? it's the best unpacker around.
futher you can use tr to trace through the application. once it's depacked you can save that as a new .exe

> Hmm, prefetch queue... I don't know much about that, but now I
> smell the smoke.

Debug old.com (i wouldn't recommend debug.exe here...), trace
into the int0, then into int2, up to the jump at 0:0x11, then
watch the repne movsb at 0:0x0a. This is where they use the
fact that a debugger (or emulator) screws up the prefetch queue:
an old cpu would load the repne as well as the iret into the
prefetch and execute this (where the repne will overwrite
these opcodes, but the prefetch doesn't get updated).
Use f11 in dosbox, and when cx changes from 8 to 7 the repne
will change into an add (7 bytes weren't moved!).
You can fix this online by moving the repne+iret to some safe
location and set cs:ip there (will be several times though).

> I have tried to uncompress this file using DIET, PKLITE, etc., but couldn't.

They use a self-developed scheme, you'd need a universal unpacker
(not unp 😉) that uses tracing techniques and handles the prefetch
correctly (cup386, gtr i think).

wd

Thanks, wd, Mirekluza and Qbix.
Genius programmers make contemporaty colleagues happy, future hackers painful 😀 When I run modified old.com, and... I can see the message 'Please insert original DISK_A and type drive letter ...'.
But it looks like floppy disk is needed.
Of course I tried mounting with '-t floppy' option, and I tried running it
on DOS(with 3.5inch floppy disk), but it was of no use. It seems that it reads raw disk sectors, and the mechanism is not compatible with modern disks.
Actually, old.com is not essential.
I used cup386 and succeeded to unpack paranoidly-packed files.(It took several minutes. Thank you) Then I hacked it. So now I can
play it without putting commands except G.
Now my tiny discontent is that I can play it only on debug.exe
Of course I can use redirection like debug savage1.exe < input.txt
but redirection is not supported on current DOSBox.
So I tried to make a simple loader which executes savage1.exe without user's inputting G<ENTER>, but that was tough for me.
I will really appreciate it if sb make it for me.

To sum up, program which is the same as debug.exe but which automatically run prey program without user's typing G is needed.

> When I run modified old.com

you should run savage.com, the memory patcher,
which loads old.com (the modified one)

Great!
Thanks.
Selecting which game to play and redefining keys are possible,too.
This is is perfect and better than I expected.
Actually I didn't have to patch exe files. (Though it was good experience)
Thanks again 😁