I don't know if I'm weird or if it's just normal to get random reverse engineering urges.
-
It seems the way the function works that it's passed a buffer as DS, then it loads the file starting from address 0, and writes that into 0x2CEF and up That's 11k into the buffer, so well above any real file.
-
okay I'm following through the decompress loading A3.ARE. I can see in the data segment we've got the data in the file, but up at 2CEF? all zeros. now if I wait for this function to return, that should get filled out
-
NOPE I'm completely wrong. They've got ES and DS pointing at different segments.
2CEF is the start (I guess?) of the output buffer, in a different segment -
Foone🏳️⚧️replied to Foone🏳️⚧️ last edited by [email protected]
there's some values over 0x80 in the decompressed out so I think I'm misunderstanding the decompression
-
I wonder of those 6-byte chunks are objects? like, x-pos, y-pos, z-pos, look up object ID in the CMP file?
-
the game hangs if you try to copy the wrong .ARE file into the place, so I suspect there's some internal location references or something that break
-
so when the game launches it asks me what video mode I want (Hercules, CGA, Tandy/Amstrad, or VGA) and then asks me to insert the data disk. This is not fun, since I always give it the same answers. So let's fix that
-
the what video mode do you want? string starts at 1000:6648 and it's referenced from... nowhere. or so ghidra thinks.
-
so lets instead search the whole program for the scalar 6648 and OH LOOK IT'S REFERENCED AFTER ALL
-
ghidra: I know decompilers that understand segments and they're all cowards
-
okay so video mode hercules is actually CGA but with a flag set.
-
weird.
it stores the video mode selected (1-3) in 1000:912d, then stores the video mode TIMES TWO in 1000:912e and 1000:6646 -
why bother using the DOS api for changing interrupt handlers, when you can just address segment zero? WHY NOT INDEED, ECHELON?
-
at least they remembered to call CLI first
-
I think they're dynamically loading code and stuffing it into the tick handler
-
the best place to stick dynamically loaded code: INSIDE AN INTERRUPT HANDLER
-
I need to turn my patching shit form Super Solvers Gizmos & Gadgets into a generic thing I can use on any game. That'd be sweet
-
anyway for now I can just skip the disk swap check by patching out CALL DiskSwapCheck, since it has no side-effects.
The video mode check unfortunately does, so I gotta leave it in but hack it to think I said "VGA" -
patch 0xDF0A with 90 90 90 to skip disk check
patch 0xE2BF with C6 C0 33 90 90 90 to skip video check. 33=VGA, 32=Tandy/Amstrad, 31=CGA, 68=Hercules -
I think this was written with a macro assembler by someone who loved macros.
Like there's a lot of times where the code would be like
LEA EAX, SomeString
CALL PRINTFin a saner world, but instead there's a loop that uses global memory addresses and calls the BIOS TELETYPE OUTPUT call letter by letter. and that loop appears in every function that needs to do printf()
