Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.
-
you know, just in case the address has changed between compile time and run time
-
oh it's trying to load WinG32.dll
that's a pre-directx windows library for high speed graphics. it was partially written to get Doom running at full speed under windows.
-
hah! it works!
it turns out they installed this pre-win95 graphics library into System32 of my 64bit windows system (well, sysWOW64)
-
okay I'm running in a debugger now, with breakpoints on LoadLibrary/GetProcAddress.
There's no activity while doing stuff that'll trigger the .DAT files (which are DLLs) to load.
-
I wonder if these fuckers just skipped using the windows DLL loader and wrote their own so they could use them on win32?
-
@foone woag i am so here for this
i’ve also been reverse engineering gizmos & gadgets (<https://github.com/delan/reverssg>), so i’m very keen to read about what you find. good luck!
-
oh goody, they're not using the regular CreateFile
they're using _lopen. The 16-bit windows compatibility one!
-
@delan oh, awesome! I'll have to look through what you've found so far.
-
and CreateFile.
they use both. fun! -
see the cool thing about reversing 32bit or 64bit code is that it's not segmented, so when you look in your debugger and it says it's running a function at 0x004013cc, you can go over to ghidra and type in "0x004013cc" and it'll show you that same function!
-
this may seem "boring" and "mundane" and "how debuggers always work?" but just imagine you have lost that simple ability to compare code between the two programs?
that is the horror of 16bit segmented code
-
I've been doing too much GBA reverse engineering. I saw a 32bit pointer starting with 0x02 and tried to remember if that was on-cartridge RAM.
this is a /windows/ program. on windows 10.
THERE ARE NO CARTRIDGES!
-
now let me copy this program onto this SD card in my laptop's built-in SD card reader
-
Jason Parker (he/they)replied to Foone🏳️⚧️ last edited by
@foone but what if there were cartridges?
-
Foone🏳️⚧️replied to Jason Parker (he/they) last edited by
@north this thought experiment gave us the IBM PCjr, which was a massive flop.
-
@foone couldn't have written a little script to write that for them? or do you think they actually copy pasted that out by hand?
-
@Canageek probably a macro in their compiler. little scripts are rarer then, but possibly?
-
yeah this is some windows 3.x-ass code. They definitely recompiled it as 32bit and did all the changes that required, but the general feel of the code is that it's 3.x code, with how it handles most things.
-
WHAT IN THE BORLAND TURBO C PLUS PLUS IS GOING ON HERE?
-
Ghidra is better at reversing MSVC-style arguments than Borland-style. Makes sense. Probably not a lot of Evil Malware written in Borland Turbo C++ these days
