@dividuum got it:
they're drawing the font 9 times, offset in each of the 8 directions, and in black. then they draw it in white, with no offset.
It's a pixel-outliner! By drawing their pixel font offset in each direction, they get a black outline on their font.
=> More informations about this toot | More toots from foone@digipres.club
The Answer to the DRM questions for Where in the world is Carmen Sandiego? Enhanced (DOS, 1990) are, in no particular order:
23
Kent
dragon
calcium
1796
Warren
revenue
1792
Willard
1937
Crater
Tanzania
Hartford
Duluth
London
Gem
Silent
squeaker
=> More informations about this toot | More toots from foone@digipres.club
if ((0x80 >> ((byte)local_4 & 7) &
(int)(char)*(byte *)((int)((int *)param_1 + 1) + (local_4 >> 3))) != 0) {
COULD YOU USE SOME MORE CASTS MAYBE?
=> More informations about this toot | More toots from foone@digipres.club
oh it's because ghidra's near/far pointer support is shit.
I had param2 defined as a byte32 and it was casting it to a byte before using it
=> More informations about this toot | More toots from foone@digipres.club
if I define it as byte* and let the calling convention implicitly define it as 32bit, it doesn't do the cast
=> More informations about this toot | More toots from foone@digipres.club
well I found the decompression method.
as always, I hate it. decompression routines are probably my least favorite thing to reverse engineer
=> More informations about this toot | More toots from foone@digipres.club
I think this compression is specifically designed for ASCII text, which is annoying because they've also got compressed images... which probably use a DIFFERENT COMPRESSION!
=> More informations about this toot | More toots from foone@digipres.club
it looks like this chunk has length 256, which means 253 usable bytes, and it expands to 374 bytes.
Not the greatest compression. a little better than just doing 6-bit ASCII.
=> More informations about this toot | More toots from foone@digipres.club
it's some kind of shifting bit mask but it starts at encoding values in 4 bits, then it can increase (or decrease, I guess) based on the input stream.
then it has an output filter, where if the number specified wasn't 8 bits, it's actually an index into a predefined text table
=> More informations about this toot | More toots from foone@digipres.club
the predefined table starts with NUL, space, then:
aetonisrdlhugfcwypbmk,vSA.T'PMxBCIRGDWHqE-zNFKL0j:51YJ8\U?73Q;2!469
\r\nOVXZ()*+"#$%&<=>/@[]^_`
=> More informations about this toot | More toots from foone@digipres.club
given that the most comment symbols are near the beginning, this is presumably a sort of lazy huffman coding
=> More informations about this toot | More toots from foone@digipres.club
but I've got the predefined table, an input file, an output file, and now I need to write some python code to replicate this, hopefully without crying
=> More informations about this toot | More toots from foone@digipres.club
"vs ses oa is isgit's tc eital and largest t u anhtA ttggh os nnotosnhrdsmarosogdn ss drte tishoth's isdhsceohtsnthminder of isgit's t nuorhdhtpast\x00 geru is slightltsn oaller than ndhd na and is o nnsgtgstbtst oa dotlalssaaolootbiaoht Sal gh, sonuhvia and sl ghh\x00isgit, ontvdn ss nhsiaalgarsnadlfnaatawlarst oadrlhrs i is a rugged land dooousr'casrbhe nrdsgs fountainsnht iah"
=> More informations about this toot | More toots from foone@digipres.club
I mean, it's not 100% wrong, but it's not right either
=> More informations about this toot | More toots from foone@digipres.club
that's supposed to read:
"\x03Lima is Peru's capital and largest city. A well-known landmark is the Archbishop's Palace, a reminder of Peru's colonial past\x00Peru is slightly smaller than Alaska and is bordered by Ecuador, Colombia, Brazil, Bolivia and Chile\x00Peru, once the center of the mighty Incan Empire, is a rugged land dominated by the Andes Mountains. Forests and jungles cover half its land area\x00"
=> More informations about this toot | More toots from foone@digipres.club
I somehow confused the dosbox-x debugger into not accepting letters anymore
=> More informations about this toot | More toots from foone@digipres.club
it was a trivial off-by-one error.
I was doing saved_byte=input[3]
but while I needed the 3rd byte, that's at input[2]
=> More informations about this toot | More toots from foone@digipres.club
yess!
C:\DOSBox-X\drive_c\carmen\py>python datfile.py cities.dat --dump=12803 --decompress
"\x03Sydney, with a population of more than 3.3 million people, is Australia's largest city. A well-known sight is Sydney's distinctively designed Opera House\x00An island continent, Australia is nearly as large as the United States but has only one-fifteenth the population\x00The capital of Australia is Canberra, located in the southeast corner of the country between Sydney and Melbourne\x00"
=> More informations about this toot | More toots from foone@digipres.club
It starts with \x03 to indicate there's three strings: then it describes the city three times. at runtime it uses select_string function with a random input to select one of the three strings
=> More informations about this toot | More toots from foone@digipres.club
okay now that I can decode the chunks (well, most of them) I can identify a lot more of them:
00 Name and (some other info)
01 ???
02 Image
03 City descriptions
04 Items to steal
10 ???
11&up: Hints leading here
=> More informations about this toot | More toots from foone@digipres.club
So like, the 12 chunk for Tokyo says:
b'\x05asked about the exchange rate for yen\x00was practicing Japanese characters\x00said\x81planned to take photographs of Mount Fuji\x00asked about tours of the Imperial Palace\x00was interested in visiting Shinto shrines\x00'
So it picks from one of those 5 options
=> More informations about this toot | More toots from foone@digipres.club
and then 13 will be:
b'\x02asked questions about Shinto rituals\x00said\x81was researching an archipelago\x00'
=> More informations about this toot | More toots from foone@digipres.club
so when it sets up a city that has hints to lead to Tokyo, it picks 3 of these sets of questions, then picks a question in each set.
=> More informations about this toot | More toots from foone@digipres.club
tool that'd really be handy right now:
a "live" version of binxelview, so I can step through the DOSBox-x debugger and see how memory is changing in real time, as an image.
=> More informations about this toot | More toots from foone@digipres.club
that might not be TOO hard to hack in, hmm.
=> More informations about this toot | More toots from foone@digipres.club
I'm stepping through a high-level loading routine I don't understand yet, trying to figure out when it decompresses an image by watching the RAM it uses for file loading and decompression and spotting when the image appears
=> More informations about this toot | More toots from foone@digipres.club
sadly DOSBox-X's memory breakpoints don't let you set up a breakpoint that covers a whole 64k. you only get one byte. A shame.
=> More informations about this toot | More toots from foone@digipres.club
ooh, I'd also need to be able to watch multiple address ranges at once. that'd be sweet, multiple windows of visibility into RAM
=> More informations about this toot | More toots from foone@digipres.club
I'm in Paris, I look at work ram, I see the image of the Eiffel. I head to Rome, and before I load the next image, I can see that the Eiffle tower in workram now has the wrong stride.
That's odd, because it means it had to rewrite the image in memory, the image it's about to unload.
=> More informations about this toot | More toots from foone@digipres.club
I think this might be the GUI system doing a screenshot of the image under a window, so it can restore it at the end. And it still does that here, even though we'll never need to restore that image: we're about to overwrite it
=> More informations about this toot | More toots from foone@digipres.club
Here's what I want a tool to do:
I hit a breakpoint in the debugger, I turn it on, set another breakpoint, and hit go.
between those two breakpoints, every time a CALL instruction is hit, it dumps my selected memory region. If it's identical to the last dump, it's ignored.
At the end, each dump is rendered as an image, and the combined set are an animation I can scroll through.
=> More informations about this toot | More toots from foone@digipres.club
I need a higher order debugger. I'm doing too much shit manually
=> More informations about this toot | More toots from foone@digipres.club
GOT YOU, YOU SON OF A BITCH! I FOUND YOU.
=> More informations about this toot | More toots from foone@digipres.club
it's in a function I already found, temporarily named "blit_related".
I guess they don't decode the image until RIGHT before it needs to go up on the screen!
=> More informations about this toot | More toots from foone@digipres.club
if definitely decompresses and then blits the image as two parts, which aren't evenly sized, and it starts from the bottom
=> More informations about this toot | More toots from foone@digipres.club
I think they're just trying to keep their RAM usage down by not having both halves in memory at once
=> More informations about this toot | More toots from foone@digipres.club
wait is this image format vertically interlaced!?
=> More informations about this toot | More toots from foone@digipres.club
It loads the half-width version, then a few functions later, it's been replaced with a full-width version.
Strange!
=> View attached media | View attached media
=> More informations about this toot | More toots from foone@digipres.club
wait no, the colors are wrong... I bet I'm seeing it decompress the binary, but that's using the full width of the bytes. it then gets expanded out to a 16-color image.
=> More informations about this toot | More toots from foone@digipres.club
well the good news is that I think I've found the decompress_image function. the bad news is that now I have to reverse engineer it :(
=> More informations about this toot | More toots from foone@digipres.club
it's currently doing the obvious thing for a decompressor to do:
write the byte 04 every 69 bytes
=> More informations about this toot | More toots from foone@digipres.club
oh sweet jesus, that's the left two pixels of the image.
it's loading the image vertically!
at least it's top to bottom.
=> More informations about this toot | More toots from foone@digipres.club
yeah, doom did that too, but Doom was a 2.5D image that had to do pseudo-raycasting.
THIS GAME DOES NOT
=> More informations about this toot | More toots from foone@digipres.club
it allocates a 1024 byte buffer, then makes a pointer to the end of it, minus -0x42?
why would you need a link to the end of a new, freshly cleared buffer, minus 62?
=> More informations about this toot | More toots from foone@digipres.club
I think the memory allocation system here is that every malloc returns 2 extra bytes, which is a pointer to the previous block.
unless it's an odd number, in which case it's a free block. and pointer to the previous block, once you make it even again
=> More informations about this toot | More toots from foone@digipres.club
I hate dealing with the internals of memory allocation systems. I prefer to leave that to smarter people than me
=> More informations about this toot | More toots from foone@digipres.club
You see this little About dialog box? Guess how many times the DrawText function is called?
Once! and just to draw "Where in the World is Carmen Sandiego?".
The rest of the text is draw elsewhere, and I have no idea why.
=> More informations about this toot | More toots from foone@digipres.club
correction: it calls it once to draw "Where in the World is Carmen Sandiego?" but that's unrelated to the one on screen WHAT?
=> More informations about this toot | More toots from foone@digipres.club
Ahh, it's using a different version of the DrawFont call: DrawFontN
=> More informations about this toot | More toots from foone@digipres.club
the only problem with using Ghidra to hack children's games instead of, like, Serious Things like firmwares or malware or whatever, is sometimes you have to make a label named NUM_MOUNTAIN_CLIMBING_HINTS
=> More informations about this toot | More toots from foone@digipres.club
(the number of mountain climbing hints is 3, by the way)
=> More informations about this toot | More toots from foone@digipres.club
I think I accidentally hacked my debugger
=> More informations about this toot | More toots from foone@digipres.club
It has a surprisingly robust UI engine. I swapped from BoldFont to SmalFont and the menu adapted perfectly.
=> More informations about this toot | More toots from foone@digipres.club
The game loads the BoldFont first, then the SmallFont, then the NormalFont.
Annoyingly this isn't how they're laid out in memory:
It's SmallFont, then BoldFont, then NormalFont
=> More informations about this toot | More toots from foone@digipres.club
Weirdly, swapping the NormalFont for the SmallFont causes the printer text to be VERTICAL, for reasons I do not remotely understand!
=> More informations about this toot | More toots from foone@digipres.club
font_alloc = malloc(local_a);
if (font_alloc == (void *)0x0) {
font_alloc = (void *)0x0;
}
Ahh yes. remember, if you get a null pointer back from malloc(), make sure to set that variable to NULL so it won't be left as... NULL?
=> More informations about this toot | More toots from foone@digipres.club
The three fonts
=> More informations about this toot | More toots from foone@digipres.club
man, running on 4 hours of sleep is killing me.
I can't even remember the MS-DOS interrupt to open a file!
I know reading it is int 21 ah=3f, closing it is int 21 ah=3d, and I'll never forget that seeking is int 21 ah=42, but how do you open a file?
I mean, not the int 21 ax=6c00 way, that one is only for DOS 4.0+, and obviously a game released in 1990 isn't gonna use that.
=> More informations about this toot | More toots from foone@digipres.club
ahh, now that I've looked it up, it seems I was wrong!
closing isn't 3D, that's 3E! 3D is open!
no wonder I couldn't remember it, I had it confused with another call
=> More informations about this toot | More toots from foone@digipres.club
looking it up took less than 10 seconds, but that's 10 seconds I'll never get back.
=> More informations about this toot | More toots from foone@digipres.club
what the fuck do you mean that carmen.dat is opened on the first call to finish_draw_maybe()?
like, I know there's a "maybe" in that name, but it's not THAT big of a maybe.
=> More informations about this toot | More toots from foone@digipres.club
@foone nice
=> More informations about this toot | More toots from lucas@treffenstaedt.de
@foone it's the most efficient way to render images in planar EGA/VGA video modes. So clearly that's what you need to use for a game that's mostly static screens 😄
=> More informations about this toot | More toots from lethal_guitar@mastodon.social
@lethal_guitar yeah. I guess it's faster to draw, but given that it's static scenes... The disk access is gonna take longer!
=> More informations about this toot | More toots from foone@digipres.club
@foone “I saw the routine you’re looking for. It left in a GOTO statement flying a blue and white flag.”
=> More informations about this toot | More toots from nosword@localization.cafe
@foone Oh! I love that game! My first roguelite (?)
=> More informations about this toot | More toots from nycki@bark.lgbt
@foone I dunno why but that gives me a "subtle thing that's wrong which leads into things turning to horror" vibe.
"Where in the world is Carmen Sandiego?"
she's right behind you
run.
=> More informations about this toot | More toots from Plan_A_to_Y@furry.engineer
@Plan_A_to_Y the last thing a young ACME sleuth hears is a chuckle and "nothing personal, kid"
=> More informations about this toot | More toots from foone@digipres.club
@foone
A classic PC game reimagined as a modern crime thriller.
Just where is Carmen Sandiego?
And where will her gang strike next?
Honestly, I'd watch the hell out of that.
=> More informations about this toot | More toots from Plan_A_to_Y@furry.engineer
@foone that sort of nonsense makes me c-sick. Python has its flaws, but that ain't one of them
=> More informations about this toot | More toots from ingram@mastodon.social
@ingram @foone this isn't a flaw of C, it's just Questionable Code. Perhaps working around some compiler bug, if we're being generous, or perhaps the compiler just generating weird stuff. :')
=> More informations about this toot | More toots from dotstdy@mastodon.social
@dotstdy @foone malloc is both a feature and a flaw.u
=> More informations about this toot | More toots from ingram@mastodon.social
@foone I mean, it's good to double-check right?
=> More informations about this toot | More toots from pettter@social.accum.se
@foone perhaps NULL may not be 0, but 0 is desired for easy if(pointer) checking :P
I love C btw.
=> More informations about this toot | More toots from jane@smolhaj.social
@foone hey. who nicked me brunch
=> More informations about this toot | More toots from lritter@mastodon.gamedev.place
@foone
You have been randomly selected as one of Elon musk's lucky winner for the Week kindly sending him s private message on telegram with the word TESLA via the link below
🔗 🔗 t.me/Elonmusk9872
=> More informations about this toot | More toots from elonmusk38@mastodon.social
@foone That 'small' font is a fitty.
=> More informations about this toot | More toots from dave@basilisk.gallery
@foone why does bold, the largest of the fonts, not simply eat the others?
=> More informations about this toot | More toots from apmasell@mastodon.social
@apmasell Its tummy is already full.
@foone
=> More informations about this toot | More toots from riley@toot.cat
@foone why aren't there tv shows with this specific kind of archeology ☹️
=> More informations about this toot | More toots from capeta@ursal.zone
@foone inlined helper that optimises out to a null?
=> More informations about this toot | More toots from viraptor@cyberplace.social
@viraptor probably. or a macro and a poor optimizer.
=> More informations about this toot | More toots from foone@digipres.club
@foone Maybe they want a stack null pointer instead of a heap null pointer.
Except now they're leaking a null pointer by not freeing it first!
=> More informations about this toot | More toots from alh@hachyderm.io
@foone I think the “if” actually checks for ‘null’, which may not be zero. I’m unclear if the assignment sets the pointer to null or zero.
I need to find a machine where null isn’t zero. I’m sure it will cause havoc with most C code. Having spent a lot of (professional) time with a machine where sizeof(short) was 1 and sizeof(long) was 2, I fear I might actually enjoy it.
=> More informations about this toot | More toots from thejpster@hachyderm.io
@foone I bet they had a debug build that did something fun inside that branch. Maybe they put some sentinel value there to track which caller of malloc was responsible.
Not sure why their compiler didn't optimize the branch away in the release build, though
=> More informations about this toot | More toots from lambdageek@mastodon.social
@lambdageek well it's a compiler from 1988, it's not the best
=> More informations about this toot | More toots from foone@digipres.club
@foone back in the day, not everybody who worked in programming was certain about how assignment worked.
To be fair, I think we'll get more of those if we're all starting to rely on AI completions...
=> More informations about this toot | More toots from StompyRobot@mastodon.gamedev.place
@foone maybe it's a template used by many games made by the devs, and it's done differently than the title and that's why it's somewhere else in the code?
=> More informations about this toot | More toots from NosirrahSec@infosec.exchange
@foone they made the whole thing a bitmap just to handle the o in broderbund?
=> More informations about this toot | More toots from Norgg@mastodon.social
@foone it says who you can ask about it right there!
=> More informations about this toot | More toots from yomimono@wandering.shop
@foone wow that screenshot is a blast of nostalgia. I played that game so much
=> More informations about this toot | More toots from neogetz@mastodon.social
@foone -66. Off by one from 'A'. I bet they start some sort of count or lookup table of some text and are saving the subtraction in the loop.
=> More informations about this toot | More toots from Flux@wandering.shop
@foone I have seen that behavior in OS development, when you need to reserve space for a stack and the first pointer needs to match a specific global alignment.
=> More informations about this toot | More toots from ColinFinck@hachyderm.io
@foone New image format that orders the pixels in a spiral anticlockwise from the top left to the centre.
=> More informations about this toot | More toots from coreworlder@dice.camp
@foone Nice?
=> More informations about this toot | More toots from dalias@hachyderm.io This content has been proxied by September (3851b).Proxy Information
text/gemini
