Foone🏳️⚧️
Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.
Prove you're a human! Beat Lifewater Oasis from Commander Keen 4! Defeat the Yeti in Kings Quest 5! Make sure 15 lemmings survive! Get the sword in Prince of Persia!
Foone🏳️⚧️
the worst part is that this was done with a compiler from 1991 so there's no way it unrolled the loop itself. they did this manually
Foone🏳️⚧️
why do:
for(int i=0;i<256;i++){
upload_color(i,palette[i]);
}
when you can do
upload_color(0,palette[0]);
upload_color(1,palette[1]);
upload_color(2,palette[2]);
upload_color(3,palette[3]);
upload_color(4,palette[4]);
upload_color(5,palette[5]);
and just repeat 251 more times
Foone🏳️⚧️
can I not set an I/O breakpoint in dosbox-x's debugger? I forget.
Foone🏳️⚧️
oh sweet laser jesus I found the upload palette function and THEY UNROLLED IT
Foone🏳️⚧️
I love when games use __FILE__ in their assertions. please tell me all your filenames please
Foone🏳️⚧️
looks like the separate game engines are called puzzler, electric, and simple.
Foone🏳️⚧️
found 5 places the palette is reprogrammed
and all are in overlays. ugh.
Foone🏳️⚧️
OKAY realistically this is a game that features several different games you can play, and games between games. they're just gonna make each one a separate overlay.
so I need to figure out how it shifts overlays and how to track which overlay is active
Foone🏳️⚧️
step up: find the fade out.
see the game fades out when you go into a door. find where that code is, then see what gets called next.
finding a fade out should be easy: look for when they reprogram the VGA palette registers to dim every color to black.
Foone🏳️⚧️
Seems Gizmos and Gadgets is a 16-bit EXE compiled with Borland Turbo C++ (no floating point support)
Foone🏳️⚧️
oh goody my favorite, OVERLAYS!
as if segmented code wasn't enough of a pain, where you don't know where a pointer points to unless you see how it's used, now you don't know what code is CURRENTLY loaded at that position, because it changes!
Foone🏳️⚧️
Just throwing surfers randomly in point and click adventures and then telling them to find an item would also be funny.
Do you know where to get the Cloaking Belt in Space Quest 3? How about the box of electronic bunnies in Full Throttle?
Where's the Old Book on Hugo 3: Jungle of Doom?
Foone🏳️⚧️
You know, I was just thinking yesterday I should reverse engineer that game, but I don't really have a reason to.
Now I do.
Foone🏳️⚧️
"have a population of at least 20,000 within 5 years in this game of SimCity 2000"
Foone🏳️⚧️
The edutainment puzzles from the doors in Super Solvers: Gizmos and Gadgets!
Foone🏳️⚧️
Chip's Challenge levels would also be funny.
Foone🏳️⚧️
We use geo-ip to automatically allow anyone showing up as accessing the site from the state of Oregon, of course.
Foone🏳️⚧️
(that is only one slight degree sillier than something I have done professionally for a website)
Foone🏳️⚧️
Oregon Trail would also be funny.
To prove you are a human, get to Oregon.
Foone🏳️⚧️
!
Where in the world is Carmen Sandiego!
You catch the culprit of the current case, using the clues and your geographic knowledge and Encyclopedia!
Foone🏳️⚧️
Same form lemmings... God, is it just all puzzle games?
Foone🏳️⚧️
I have thought about adapting Simon Tatham's puzzle collection to a captcha. Like it just gives you a puzzle with no instructions.
Foone🏳️⚧️
Honestly just making it do The Incredible Machine puzzles would be hilarious
✧✦Catherine✦✧
@foone this is why i love binja and can't stand hexrays
who tf *wants* this kind of c output
(apparently if you work with it for years the typecasts get filtered in your mind. i do not wish to learn this)
Rich Felker
@whitequark @foone Those casts are utterly hideous especially the gratuitous ones. It should be typing the synthesized locals to the right type to avoid needing pointer casts, and omitting noop or implicit-equivalent casts.
Foone🏳️⚧️
this math:
local_8 = (int)(0x3f / (long)param_1) + 1;
iVar6 = 0;
do {
uVar7 = (undefined2)((ulong)param_2 >> 0x10);
uVar8 = (undefined2)((ulong)param_4 >> 0x10);
iVar4 = (int)param_4;
uVar1 = (int)*(char *)(iVar4 + iVar6) - (int)*(char *)((int)param_2 + iVar6);
uVar2 = (int)uVar1 >> 0xf;
local_608[iVar6] = (char)((int)((uVar1 ^ uVar2) - uVar2) / local_8) + '\x01';
iVar6 = iVar6 + 1;
} while (iVar6 < 0x300);
Foone🏳️⚧️
I'm staring at this code going "if it was less 2am, I could understand this math"
Foone🏳️⚧️
interesting: the same function is called to fade a palette TO black and to fade a palette FROM black
I wonder if it's specialized to just be palette to black and vice versa, or if it does arbitrary fades between two palettes?
Foone🏳️⚧️
(approximately 1536 times)
Foone🏳️⚧️
this set_palette code got loaded into the segment 0BBC, one of the only 16-bit DOS segments marked red in shinigami eyes
Foone🏳️⚧️
or maybe not? it's too 2am to tell.
ANYWAY I'm currently debugging through a function that's 256 palette entry uploads and my debugger has no "run until return" function so I have to manually hit next instruction SO MANY TIMES
Foone🏳️⚧️
"hey ghidra what calls set_palette?"
"I don't know! you're in 16bit segmented mode! pointers are MEANINGLESS
Foone🏳️⚧️
ahh, nope! I misidentified it.
the second parameter on set_palette is how many frames to set it for.
The same palette gets set.
it vsyncs every time so this is a set_palette that's also a timing function
Foone🏳️⚧️
oh that's cute. their set_palette function takes two arguments: a pointer to the palette, and a number of extra palettes to apply.
so they could set up an array of palettes in decreasing brightness, and just do set_palette(&fade_pallets[0], 64) to go through them.
but the same function is a regular one-time set_palette if you just pass 1 for the second argument.
Haelwenn /элвэн/ :triskell:
Foone🏳️⚧️
if there's a game you grew up with and love on platform X, never play a cheap 90s port of that game to platform Y. it never ends well
Foone🏳️⚧️
I can't play it because MIDI doesn't work on Windows 10
Foone🏳️⚧️
sticking a zero byte file at C:\Windows\SysWOW64\midimap.cfg fixed that. It runs. I kinda hate it, but that's to be expected.
Foone🏳️⚧️
you know, because of pointers that actually point
Foone🏳️⚧️
oh hey, there is a 32bit windows version of this game? that might be way easier to reverse engineer
Foone🏳️⚧️
https://github.com/NationalSecurityAgency/ghidra/issues/5543
oh this is more complicated than I can figure out at 2:42am
Foone🏳️⚧️
I like that this program using overlays is only 209kb.
"oh no, we can't fit all 209 kilobytes of our program into RAM! better use our compiler's overlay system"
TWO HUNDRED KILOBYTES
Foone🏳️⚧️
wasn't there some kind of tool that could flatten out an overlay'd file, at least enough for ghidra to load it?
Foone🏳️⚧️
found the INT31!
we've got OVERLAYS FOR SURE!
Foone🏳️⚧️
writer-brain grabs the mic:
C'S MEMORY HANDLING IS SO BAD IT CAN BE EXPLOITED BY THE GERMAN LANGUAGE ITSELF
Foone🏳️⚧️
someone should write a fictional programming library reference book.
like, fit enough interesting ideas in about what the fictional world needs functions for, worldbuild in the cracks, but stay clearly still a dry list of man pages?
Foone🏳️⚧️
enough writing about FICTIONAL C LIBRARY FUNCTIONS, what the hell writing brain, let's get back to reverse engineering
Foone🏳️⚧️
Try it out on your local javascript console:
>> "Straße".length
6
>> "Straße".toUpperCase().length
7
Foone🏳️⚧️
so yeah hypothetically if you had a version of stricmp that was strncmp and compared two strings of different length, this might still be a match, if your locale treated the German Eszett this way.
Foone🏳️⚧️
To greatly oversimplify, the german letter "ß" is lowercase, and in uppercase you write it "SS".
So if you have two strings, one reading "straße" and one reading "STRASSE", they are different lengths (6 vs 7), but case insensitively comparing them should return a match.
Foone🏳️⚧️
I figured out the hypothetical 4-argument strcmp:
it's a locale-specific strnnicmp.
That's stricmp (compare insensitively) and also strncmp (compare only the first n characters), but with TWO LENGTHS! Why? To compare two strings of different lengths, case-insensitively.
Foone🏳️⚧️
and you might say "why would you compare two strings you know are of different lengths, of course they're not equal"
Well, if the compare is case insensitive, they might still match... in a german locale!
Foone🏳️⚧️
so I live another day, safe from the horror that is the 4-argument strcmp.
what does it do? how does it work? I don't want to know.
Foone🏳️⚧️
there's some nonsense going on here with pascal calling convention but I think I'm too tired already to figure out the exact details well enough to explain it.
Foone🏳️⚧️
but the bottom line is that it's not a 4-argument function, it's a 3-argument function. the decompiler just didn't get the calling convention exactly right.
Foone🏳️⚧️
What happened: I'm looking at a function that's clearly a strcmp of some kind. It seems to compare against a length, so... strncmp? looks like it, except it takes FOUR ARGUMENTS?! what could this be?
I look at several variants of strncmp to see if there's a 4-argument version, then give up and look back at ghidra's decompilation: it never uses argument 1.
Foone🏳️⚧️
WHAT IN THE BORLAND TURBO C PLUS PLUS IS GOING ON HERE?
Foone🏳️⚧️
Ghidra is better at reversing MSVC-style arguments than Borland-style. Makes sense. Probably not a lot of Evil Malware written in Borland Turbo C++ these days
Foone🏳️⚧️
yeah this is some windows 3.x-ass code. They definitely recompiled it as 32bit and did all the changes that required, but the general feel of the code is that it's 3.x code, with how it handles most things.
Foone🏳️⚧️
now let me copy this program onto this SD card in my laptop's built-in SD card reader
Foone🏳️⚧️
this may seem "boring" and "mundane" and "how debuggers always work?" but just imagine you have lost that simple ability to compare code between the two programs?
that is the horror of 16bit segmented code
Foone🏳️⚧️
I've been doing too much GBA reverse engineering. I saw a 32bit pointer starting with 0x02 and tried to remember if that was on-cartridge RAM.
this is a /windows/ program. on windows 10.
THERE ARE NO CARTRIDGES!
Foone🏳️⚧️
see the cool thing about reversing 32bit or 64bit code is that it's not segmented, so when you look in your debugger and it says it's running a function at 0x004013cc, you can go over to ghidra and type in "0x004013cc" and it'll show you that same function!
Foone🏳️⚧️
and CreateFile.
they use both. fun!
Foone🏳️⚧️
I wonder if these fuckers just skipped using the windows DLL loader and wrote their own so they could use them on win32?
Foone🏳️⚧️
oh goody, they're not using the regular CreateFile
they're using _lopen. The 16-bit windows compatibility one!
Foone🏳️⚧️
okay I'm running in a debugger now, with breakpoints on LoadLibrary/GetProcAddress.
There's no activity while doing stuff that'll trigger the .DAT files (which are DLLs) to load.
Foone🏳️⚧️
oh it's trying to load WinG32.dll
that's a pre-directx windows library for high speed graphics. it was partially written to get Doom running at full speed under windows.
Foone🏳️⚧️
hah! it works!
it turns out they installed this pre-win95 graphics library into System32 of my 64bit windows system (well, sysWOW64)
Foone🏳️⚧️
you know, just in case the address has changed between compile time and run time
Foone🏳️⚧️
obviously the first thing you call GetProcAddress on is "GetProcAddress"
Foone🏳️⚧️
they didn't bother to make the animations play at the right speed :(
Foone🏳️⚧️
they are indeed using those files.
I'm wondering if they're just using them for data, though? maybe they just load them and pull resources out, and the Real Code is elsewhere?
Foone🏳️⚧️
procmon time. what do you do, game?
Foone🏳️⚧️
you're... making int21h calls?
in a DLL? your'e making raw DOS interrupt calls in a WINDOWS DLL!?
Foone🏳️⚧️
I'm starting to think none of these DLLs are actually ever used
Foone🏳️⚧️
I'm on my laptop now (disability reasons) but my Real Workstation has like 13 versions of Ghidra installed
Foone🏳️⚧️
it's only a matter of time before someone invents one of those Version Managers like for node/ruby/etc but it just keeps track of your ghidra versions
Foone🏳️⚧️
because this smells like it's either brilliant or a crime against man and God and I need to find out which.
and yes, both is an option
Foone🏳️⚧️
WAIT
I was using this ancient version of ghidra for GBA hacking
I'm doing x86 hacking now
why am I still on a version with a broken dark mode?
Foone🏳️⚧️
all this is telling me "give up on the windows version and go back to hacking the DOS version" but I have to figure out what the fuck they're doing here.
Foone🏳️⚧️
that can't be right. I'm on a 64bit system. those DLLs shouldn't even load.
Foone🏳️⚧️
These are NE executables. So windows 3.x.
Those... shouldn't be loading. Unless they're 32bit, somehow... is win32s being invoked here? and somehow working? on a 64bit OS?
did they embed a 16bit x86 emulator into their program? (no)
Foone🏳️⚧️
Language ID: x86:LE:16:Protected Mode (2.13)
what do you mean 16bit protected mode? the one used for, like, Xenix? the 286 one that was an evolutionary dead end? YOU'RE RUNNING THAT IN DLLs?
Foone🏳️⚧️
I think that's exactly what they did.
on the CD there's a bunch of DAT files in SSGWINCD, and they mysteriously all start with the bytes MZ, like a DLL/EXE
Foone🏳️⚧️
loadLibrary()ing a .DAT file? naughty naughty.
Foone🏳️⚧️
maybe they compiled the games into DLLs and had a delphi shell around it?
Foone🏳️⚧️
wait, ghidra autodetects the 32bit version as being DELPHI?!
The DOS one is definitely C++.
Did these fuckers rewrite the whole game in Delphi so it'd run on Win32?
Foone🏳️⚧️
set your CDDrive to C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ to crash the game
Foone🏳️⚧️
I know programmers who use strncpy and they're all cowards
Foone🏳️⚧️
it does nothing to stop you from just copying the files onto the PC and just changing the INI, and then it runs without CD:
[Gizmos & Gadgets! CD]
CDDrive=C:\Tlcwin\Ssgwincd\CD\Ssgwincd\
Foone🏳️⚧️
I have altered the gear puzzle
pray I do not alter it any further
Foone🏳️⚧️
Borland Turbo C++: I know compilers who merge constant strings and they're all cowards
Foone🏳️⚧️
I think I found the "load this resource by type+ID" function.
I had temporarily named it "something_resource_something"
Foone🏳️⚧️
okay yeah they're parsing their own EXE Files.
absolutely wild.
Foone🏳️⚧️
oh goody it emulates file numbers on top of the whole windows Handle thing.
so it's limited to 127 files open at once
Foone🏳️⚧️
correction: 30 files
Foone🏳️⚧️
I don't know if they wrote their own NE executable header parser or there's some weird API for it that they're using
Foone🏳️⚧️
so I think what's going on is these weirdos abused the 16bit linker to build their DAT files
that's why they're all DLL/EXE files
Foone🏳️⚧️
so it seems the NE files have multiple resource sections, and the first one has an index to get to the sub-chunk, and the rest are just in that order.
Foone🏳️⚧️
so it seems to identify chunks by a 4-digit character string (like NFNT) and a 16bit integer.
Very similar to what 3d Movie Maker does
Foone🏳️⚧️
the game's EnsureFontLoaded function seems to be called with 2 font numbers:
15000 and 200
I'm sure that makes sense to someone
Foone🏳️⚧️
okay and I can spot a chunk index I sorta understand inside FONTS.DAT which specifies 3 fonts: 200, 300, and 15000
Foone🏳️⚧️
found another byte-level patch:
there's a debug-printf function which has a hack at the top to set the first character of the printf template to \0
Foone🏳️⚧️
the producer was Sid Weber
Foone🏳️⚧️
a linked list of fonts, indexed by number.
that's an interesting approach to font storage
Foone🏳️⚧️
the documented cheats are missing at least one: ctrl-w
I have no idea what it does besides print "beam me up sid" in the corner.
it does SOMETHING, I just don't understand what yet.
Foone🏳️⚧️
I should automate this and dump screenshots of all 270 puzzles
Foone🏳️⚧️
btw: at first glance, no evidence of cheats in the DOS version
Foone🏳️⚧️
puzzle counts:
43 scales
40 electricity
33 energy
42 force
42 gear
20 jigsaw
30 "magnetizm"
20 simple machine
Foone🏳️⚧️
well that sure is a fuck of a thing.
playing with the cheats and there's a pick-a-puzzle mode.
It looks like this.
Foone🏳️⚧️
the funniest part? that's an image. like, in the game. they just screenshotted an image and wired up some basic clickables. It's not a real dialog!
Foone🏳️⚧️
I just realized this is a game. fuck, half this should be on TCRF. I do not have time for that right now
Foone🏳️⚧️
yeah, there's other dialogs like "you need to be in 386 enhanced mode!" that I think they just orphaned when they made this version win9x only
Foone🏳️⚧️
They patched out this dialog box.
Foone🏳️⚧️
I think the typo in the name is a bug on my resource viewer
Foone🏳️⚧️
yeah the EXE has a modification date of 1998, but the compile time inside the EXE says 1994
Foone🏳️⚧️
I spotted them in the EXE and googled to see if they were known. Yep. At least in that one post!
Foone🏳️⚧️
ah-ha!
see that?
They call GetVersion(), then no matter if it's below 4 or not, they jump to the SAME PLACE, and there's dead code below it.
This EXE has been patched after compilation!
Foone🏳️⚧️
BTW it turns out there's cheats in the windows version.
maybe in the other versions too? I don't think anyone has found them if so.
https://www.speedrun.com/super_solvers_gizmos_and_gadgets/forums/vcalv
Foone🏳️⚧️
maybe I just need to delete every function and re-analyze from scratch
Foone🏳️⚧️
(i just re-imported the EXE as a new file, and I'll manually port over the dozen or so symbols I've found.)
Foone🏳️⚧️
yep and it's buggered every single function, even after changing language. I can delete and recreate functions, but that might not fix them because they're getting hints from downstream functions which it still thinks are __fastcall and not __stdcall
Foone🏳️⚧️
yeah this code is just casually mixing pascal and stdcall calling conventions. I am in hell
Foone🏳️⚧️
okay yeah. this is not remotely delphi. this is C++. ghidra mis-detected it, and that may have messed up the analysis
Foone🏳️⚧️
I'm guessing this is dummying out code that didn't work
Foone🏳️⚧️
you even check, in the calling code, that it returns 0 and not some other value. you have fallback code for if it fails.
it can't fail.
Foone🏳️⚧️
correction, you're returning a boolean.
and it's hardcoded to always return a 0, which is false.
so this ALWAYS fails.
Foone🏳️⚧️
haha, 1991-1997 programmer: you made the LoadDirectSoundFuncptrs return a 0 for success, but you only ever return 0. your code smells with your bad decisions, which I can see THROUGH TIME from 30 years later
Foone🏳️⚧️
DirectSound?!
this windows 3.x-ass program uses DirectX?!
Foone🏳️⚧️
the funniest part? I'm back in reverse engineering mode.
it's not even a 3-argument version of strcmp. it's just a weird strcmp(char*,char*): It only takes two arguments! not even three!
Foone🏳️⚧️
how do you confuse a two-argument function for a FOUR argument function?
borland. borland is how you do that.
Haelwenn /элвэн/ :triskell:
Foone🏳️⚧️
yeah these punks just wrote their own code to parse NE headers. presumably because they made this silly resource scheme on windows 3.x, but had to rewrite some of it to handle win9x
Foone🏳️⚧️
hResInfo = FindResourceA(*(HMODULE *)((int)&pLVar3[3].prev + 2),
(LPCSTR)(uint)*(ushort *)&new_node[1].next,chunk_type);
heuristically decompiled C is such a beautiful language
Foone🏳️⚧️
ahh, the most obscure of the electrical components, the zeppelin
Foone🏳️⚧️
I thought I'd figured out where it loads images. Nope! This is for palettes.
Foone🏳️⚧️
looks like ASEQ is the image format.
Here, I've used it to make this electricity puzzle impossible
Foone🏳️⚧️
oh nasty, this function picks which linked list to use based on a flag.
I sure hope those are compatible types and they aren't just mixing different lists of different types entirely!
Foone🏳️⚧️
nah. I went through the 51 calls to allocate_something, but most don't look like they're for linked lists. this is just a generic malloc
Foone🏳️⚧️
yup found the allocate, it's a 34 after all. Maybe I should just look at this allocator, is this a linked-list only allocator?
Foone🏳️⚧️
the reverse engineer who worked on this before me* has helpfully named the allocator "allocate_something" which doesn't tell me what exactly it allocates.
* that would be me
Foone🏳️⚧️
I'm sure there's some benefit to having an end-of-list marker instead of just having the last object have a next pointer that's NULL, but I'm not sure what it is right now, too tired to think about linked lists in that much detail.
Foone🏳️⚧️
I should find all the global linked lists and systematically find out how big they are.
They always use the same UnsafeNodeGetNext/SafeNodeGetNext functions to deal with them, I can just look up all call sites for those functions and see what linked list they're being used on. then I track where that linked list is used to where someone calls a malloc
Foone🏳️⚧️
eww, the list definitely is heterogeneous. I just realized that the list always has an "end of list" marker that's just an instance of the base LinkedList struct, so it's only 8 bytes (two pointers). So every list has to contain two different types of objects, because some objects are the special end-of-list object.
Foone🏳️⚧️
I just made them resources_26byte_list and resources_34byte_list
Foone🏳️⚧️
oh fuck, I think this is entirely my fault. I think there's two linked lists that are used separately by this function, but both are related to resources so I named them both basically "resource_linked_list" and didn't notice the function switches between which one it is using
Foone🏳️⚧️
so the second list probably has the 34-byte objects I originally thought this function used.
So it's "ResourceNode" vs "ResourceNode3".
very bad names, I need to change them immediately, but I don't know what to.
Foone🏳️⚧️
if the objects you stuff into the resource_linked_list collection are 26 bytes long, WHY ARE YOU REFERENCING THE 28th BYTE?
CMP word ptr [ESI + 0x1c ],0x5
0x1C is 28! that's 28! IS THIS JUST A MEMORY BUG IN THE ORIGINAL GAME?
Foone🏳️⚧️
so the obvious thing to assume is that the things in that list are 26 bytes each, since we're sticking one in now.
but the code that iterates through the list doesn't seem to make sense if you have 26-byte objects! something weirder is going on
Foone🏳️⚧️
questioning if my 26-byte-malloc is off. perhaps it's more like "allocate packet with header and data" and it's only taking the size of the data in the argument, so it allocates sizeof(header)+data_length
Foone🏳️⚧️
so in the first chunk of the function, it iterates through the list, looking for a match. if it finds one, it exits early. This is a "load a thing and stick it in a list of loaded things" type function, so that makes sense: don't load the same asset twice if we ask for it twice.
but then once it's not found it, it allocates a 26 byte object, which it eventually inserts into the same global linked list as the list of objects it iterated at the beginning
Foone🏳️⚧️
oh wait no, are these heterogeneous* linked lists? like there's different types shoved into this list? Eww!
*not the right word but I can't remember the right one right now
Foone🏳️⚧️
psVar1 = (short *)((int)&((LinkedListNode *)((int)pLVar3 + 8))->next + 2);
yeah something tells me this isn't being disassembled correctly. I'm telling it the wrong types. I think this is mixing two types freely and I'm pulling my hair out trying to reconcile the differences that only exist at runtime.
Foone🏳️⚧️
and the first problem with this is that I don't know how big ResourceListNode is either, I'm going to have to guess unless I can track down a malloc somewhere. Which I guess should be easy, in a linked list? they're mallocing node-sized chunks all over the place.
Foone🏳️⚧️
that's what the "pLVar3[3].prev" nonsense is about. The code is accessing the, uh... 36th? bytes in a struct autodetected as a LinkedListNode struct, which is only 8 bytes. So it has to assume it's an array and a member access
Foone🏳️⚧️
it's not. It's actually just a member access to some resource id in a completely unrelated (as far as the compiler & decompiler knows) struct, like a ResourceListNode or something
Foone🏳️⚧️
because they've got functions I've called SafeNodeGetNext and UnsafeNodeGetNext that they use on different linked lists, with different types of different sizes.
Foone🏳️⚧️
So it seems this code is using a C-based (I have seen no hint of C++ in this code, so I think it's C) linked list library.
Foone🏳️⚧️
since it's C, that means they're using some kind of macro system that's going to have FUN type safety issues.
Foone🏳️⚧️
their coding style has a few safe_frob(ptr) functions that are just identical to unsafe_frob (ptr) by adding an "if (ptr==null) return;" at the top.
Foone🏳️⚧️
one annoying detail is that I'm pretty sure this program also uses pointers to specific items in global linked lists.
which look in my disassembly just like iterating over a full list from a global head pointer.
so if I see two SafeNodeGetNext calls to addresses A and B, I assume those are two different lists. It might just be that B is a specific item in the actual global list A.
Foone🏳️⚧️
I'm gonna ignore the confusing reversed source for the funcs and just base it on this NE document, the Resource Table section.
Foone🏳️⚧️
it has been zero days since I crashed explorer
Foone🏳️⚧️
speaking crashing, I can't get this version of the resource explorer to compile without crashing.
So I'm gonna just assume "yeah this makes sense" and get to work on writing that stupid resource-entry parsing code that I don't want to write
Foone🏳️⚧️
What, objdump doesn't have a fully featured (for, like, 1993) image editor? seems like it's not a very good resource editor now is it?
Foone🏳️⚧️
I guess having this tool does help. If I'm correct that it is what made these files, I can make my own with known values and see how they get laid out in the file. In fact, I should probably do just that for verification!
Foone🏳️⚧️
I just love the sheer fucking 90s-developement it is that I told this thing to add a new bitmap and it just busted out an integrated image editor.
Foone🏳️⚧️
I have done way too much of the latter recently, so I'm trying to relax by doing something easier, like trying 15 different development tools to see if any of them can make any sense of a single file. and of course, the most obvious one I should have tried was the one that could finally do it! the one in the compiler suite I already knew this was compiled with.
Foone🏳️⚧️
To be clear: This is all conjecture, based on what I'm seeing in the files. I've not talked to the developers or even looked at the windows 3.1 version yet. But I have Theories.
Foone🏳️⚧️
anyway as cool as this is, it only confirms my theory about how the resource-stuff is working. I still don't have code I can reuse or my own code to handle these resources, so I basically still have to write my own damn NE parsing code.
This is less work than it sounds like, but I am very much in a "reverse engineering" mood and not a "writing scripts to parse files I don't understand based on possibly incorrect reverse engineering source, debugging, and tracebacks"
Foone🏳️⚧️
So they came back to the project and swapped in their own parse-the-NE-file-and-get-a-resource functionality. Now it works on Windows 95.
Foone🏳️⚧️
hey why is there a windows 95 version? windows 95 can run windows 3.1 programs, right?
Foone🏳️⚧️
well I bet this trick is why they made a windows 95 version.
I bet they used some windows 3.x API to find the resources for them, and something about how they did this broke on windows 95.
Foone🏳️⚧️
but as neat as this trick is, I think this is actually the compromise version. This version is a win9x port of the windows 3.1 version, which I haven't looked at yet.
Foone🏳️⚧️
that is very cool. Like, it's a very common thing for a game to have it's own resource-file system. Sometimes it's very filesystem, with paths, and sometimes it's just a index where you can look up by a type+number, or just a number.
Foone🏳️⚧️
but they skipped out on developing half the code they'd need to have their own resource filesystem: They used an existing tool to make the files for them, they just wrote a parser.
Foone🏳️⚧️
Borland Resource Workshop v5.02 OPEN'S IT FUCKING PERFECTLY!
of course. They probably MADE the fucking resource files with this tool! It came with Borland Turbo C++!
Foone🏳️⚧️
They put together dummy DLL/EXEs with BRW containing all their assets, then wrote a little code to parse the bare minimum of the NE header so it could find where resources were.
Foone🏳️⚧️
it's a base-2 floating point number with an unsigned exponent
Foone🏳️⚧️
I thought it sounded familiar, and then I realized:
this is a floating point number.
Foone🏳️⚧️
openwacom says it has no resources, which is incorrect.
Foone🏳️⚧️
the NE file format uses an interesting trick to encode offsets: every offset given is bitshifted by global bitshift-value.
The idea is that as the file gets bigger, you can address farther and farther offsets at the expense of more padding between sections.
Foone🏳️⚧️
oh hey, wrestool from icoutils seems to get something.
Foone🏳️⚧️
nah, if ghidra is doing this right, I'm not getting the chunk ids/fourccs. if ghidra is right, it means the format is somewhat different from a real NE file. But that's a big "IF"
Foone🏳️⚧️
llvm-objdump is the same. I'm gonna need some kind of specialized tool if I want to escape having to reimplement the stupid resource headers. I'm not even sure that's what they're using, they might be ALMOST using it? in a way that breaks tools?
I can't tell. none of my tools can open the fuckers
Foone🏳️⚧️
I mean, I guess Ghidra kinda does? I could maybe export out of that into a file, but that's way more manual than I'd like. I have like, dozens of files here. I am an ADHD programmer: I don't do things manually
Foone🏳️⚧️
well fuck you too, buddy! why wouldn't you just support a format that hasn't been relevant for I dunno 30 years?
Foone🏳️⚧️
obviously everyone is yelling "just use objdump!" but I am running low on linux at the moment and haven't got any such thing installed. and then I spent 5 minutes trying to debug one of my sftp clients wasn't working (I am NOT installing samba at this level of tired) and failing because it turns out it was the other sftp client I didn't know about!
Foone🏳️⚧️
foone@pasilameli:~$ objdump -x plane256.dat
objdump: plane256.dat: file format not recognized
Foone🏳️⚧️
went looking for tools to look inside these dat/exe/dll hybrids and finally found something that can read NE files. It shows resources! and as soon as I try to look at that list, it explodes.
Foone🏳️⚧️
I need to write some code to pull bitmaps from these datafiles. I gotta see if they're doing this at runtime or if they encoded the shit into the datafiles
Foone🏳️⚧️
I have some basic info on how the .DAT files work but I've not yet got the ability to list contents and dump 'em.
Foone🏳️⚧️
why in the fuck didn't they just make it 640x480 and upscale it by 2x? they did some kind of bad nearest-neighbor scale on all the sprites to enlarge them by 60% and it looks terrible
Foone🏳️⚧️
yeah the windows version runs as a 512x384 box inside a larger window, while the DOS version is 320x200 .
Foone🏳️⚧️
oh, 384. less weird
Foone🏳️⚧️
the width is something north of 480 pixels, so I'm guessing 512?
weirdly the save games save your pixel position, so even exiting and reentering won't unfuck your position
Foone🏳️⚧️
oh no, it's worse, it's like ... 385?
Foone🏳️⚧️
Help I'm in the statusbar
Foone🏳️⚧️
the virtual screen height is 320 pixels?
huh. that's a weird number for a HEIGHT
Foone🏳️⚧️
there might be a cheat code no one has found on the capslock key but I can't test it because I don't have a capslock key
Foone🏳️⚧️
hah. It takes all the keypresses from the WM_CHAR/WM_KEYDOWN messages and puts them in a circular buffer.
You know, how keypresses worked on DOS... which this game started as.
Foone🏳️⚧️
WHY DOES IT HAVE A SECOND CIRCULAR KEYBOARD BUFFER
Foone🏳️⚧️
else if ((uMsg != WM_NCACTIVATE) && (uMsg == WM_KEYDOWN)) {
amazing comparison folding here, compiler. so it doesn't match WM_NCACTIVATE, but at the same time it does match WM_KEYDOWN? amazing. almost like you could ignore that first test
Foone🏳️⚧️
I need to start remembering to check if a function is ever called before I waste 5 minutes reverse engineering it. I know exactly how this GetMouseButtonsDown function works and I've spotted at least one minor bug, but now I just found out it's dead code that's never called
Foone🏳️⚧️
JUST DID IT AGAIN RIGHT AFTER THIS POST
I'm a trusting soul, I assume code is in a binary because it's needed for that binary to run. I'm not so used to these early-90s compilers who leave everything in the C file in the binary
Foone🏳️⚧️
oh good and they're "sticky" in a way that only works reliably on windows 16bit
Foone🏳️⚧️
this project just added a new stretch goal: unfuck the graphics for the win32 version so you can run this on modern computers without it looking like 7 types of ass
Foone🏳️⚧️
GetAsyncKeyState considers the mouse to be a keyboard?!
Foone🏳️⚧️
The DOS game this is a port of, for comparison.
The lack of DPI stretch is just because it's DOS and I don't have my DOSBox-X misconfigured, but HEY LOOK CONSISTENT PIXEL WIDTHS
Foone🏳️⚧️
WHAT THE PIXEL ART FUCK IS GOING ON IN THIS SCREENSHOT?
the pixel art itself is inconsistently stretched and then some windows DPI scaling nonsense is blurring the whole thing to make it even worse
Foone🏳️⚧️
still, 500 is pretty low, especially since they're using linked lists which are one-alloc-per-node. 21 of those lists, in fact.
Foone🏳️⚧️
although hardcoded it's adjustable by changing a line in the main() equivalent. I bet they didn't start with 500 and had to tune it up to bigger numbers
Foone🏳️⚧️
that's 500 in use at once. when you free the memory it goes back to the pool
Foone🏳️⚧️
3d Movie Maker does the same thing where they have chunk types that are 4 digit strings, because you can easily pass them around as 32bit values
Foone🏳️⚧️
the game has a hard limit on how many allocations it can do: 500.
Foone🏳️⚧️
spotted a function an hour and a half ago and decided not to reverse it, but I guessed I might take a 4-character string and turn it into a 4-byte DWORD of it.
finally got around to checking it (by just seeing what goes in and comes out in the debugger), and YEP I was correct
Foone🏳️⚧️
I'm not sure what unknown lists 9,10, and 11 are for, but they're connected together. There's code to move things from 10 to 11, 11 to 9, and 11 to 10.
and I think they're only ever added into 11?
Foone🏳️⚧️
ahh, they've got an add function that looks like this:
void func(LinkedListNode* list, LinkedListNode* node, void *)
Turns out it takes a comparison function, so you can put things into the list at their sported position.
Foone🏳️⚧️
oh good one of them is VARIABLE SIZE!
Foone🏳️⚧️
next search: 26 calls to AddToNodeList. presumably it'll get called on each of these near some code to allocate a new node. So I can nail down how big these linked lists are... and hopefully they're consistent enough to make that a meaningful question to ask.
Foone🏳️⚧️
motherfuckers loved them some linked lists apparently.
Foone🏳️⚧️
over a half hour I checked all 160ish calls to UnsafeNodeGetNext and SafeNodeGetNext, and my finally tally is:
21 global linked lists!
18 unknowns, the font list, and the two resource ones.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.