Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.
-
Foone🏳️⚧️replied to Graham Sutherland / Polynomial last edited by
@gsuberland haven't found out yet but i suspect so
-
@foone it seems like you've solved this, but, I have previously dealt with a program using OpenWatcom C that uses their Win16 wrapper and produces an NE executable. Basically it starts up in win16, loads their DPMI handler and a bunch of thunks for 32->WinAPI 16, and then it pulls a 32-bit binary blob (the main program) into memory and executes that. really a nightmare to get Ghidra working on that, I had to locate the blob and extract it and then load it up as a raw 32-bit .bin
-
@foone my notes on making that work, if you find you're in the same situation:
https://github.com/greg-kennedy/DarkSunOnline/wiki/Client-Disassembly -
@foone … but… why?
-
@mmu_man different plugins target different versions. compiling between versions is annoying enough that the easiest way to do it is to just have multiple versions installed
-
@greg ooh, nasty. I'm not sure if that's what's happening here, but good to know
-
obviously the first thing you call GetProcAddress on is "GetProcAddress"
-
you know, just in case the address has changed between compile time and run time
-
oh it's trying to load WinG32.dll
that's a pre-directx windows library for high speed graphics. it was partially written to get Doom running at full speed under windows.
-
hah! it works!
it turns out they installed this pre-win95 graphics library into System32 of my 64bit windows system (well, sysWOW64)
-
okay I'm running in a debugger now, with breakpoints on LoadLibrary/GetProcAddress.
There's no activity while doing stuff that'll trigger the .DAT files (which are DLLs) to load.
-
I wonder if these fuckers just skipped using the windows DLL loader and wrote their own so they could use them on win32?
-
@foone woag i am so here for this
i’ve also been reverse engineering gizmos & gadgets (<https://github.com/delan/reverssg>), so i’m very keen to read about what you find. good luck!
-
oh goody, they're not using the regular CreateFile
they're using _lopen. The 16-bit windows compatibility one!
-
@delan oh, awesome! I'll have to look through what you've found so far.
-
and CreateFile.
they use both. fun! -
see the cool thing about reversing 32bit or 64bit code is that it's not segmented, so when you look in your debugger and it says it's running a function at 0x004013cc, you can go over to ghidra and type in "0x004013cc" and it'll show you that same function!
-
this may seem "boring" and "mundane" and "how debuggers always work?" but just imagine you have lost that simple ability to compare code between the two programs?
that is the horror of 16bit segmented code
-
I've been doing too much GBA reverse engineering. I saw a 32bit pointer starting with 0x02 and tried to remember if that was on-cartridge RAM.
this is a /windows/ program. on windows 10.
THERE ARE NO CARTRIDGES!
-
now let me copy this program onto this SD card in my laptop's built-in SD card reader