Back

and then 13 will be:
b'\x02asked questions about Shinto rituals\x00said\x81was researching an archipelago\x00'

so when it sets up a city that has hints to lead to Tokyo, it picks 3 of these sets of questions, then picks a question in each set.

tool that'd really be handy right now:
a "live" version of binxelview, so I can step through the DOSBox-x debugger and see how memory is changing in real time, as an image.

that might not be TOO hard to hack in, hmm.

I'm stepping through a high-level loading routine I don't understand yet, trying to figure out when it decompresses an image by watching the RAM it uses for file loading and decompression and spotting when the image appears

sadly DOSBox-X's memory breakpoints don't let you set up a breakpoint that covers a whole 64k. you only get one byte. A shame.

ooh, I'd also need to be able to watch multiple address ranges at once. that'd be sweet, multiple windows of visibility into RAM

I'm in Paris, I look at work ram, I see the image of the Eiffel. I head to Rome, and before I load the next image, I can see that the Eiffle tower in workram now has the wrong stride.
That's odd, because it means it had to rewrite the image in memory, the image it's about to unload.

I think this might be the GUI system doing a screenshot of the image under a window, so it can restore it at the end. And it still does that here, even though we'll never need to restore that image: we're about to overwrite it

Here's what I want a tool to do:
I hit a breakpoint in the debugger, I turn it on, set another breakpoint, and hit go.
between those two breakpoints, every time a CALL instruction is hit, it dumps my selected memory region. If it's identical to the last dump, it's ignored.
At the end, each dump is rendered as an image, and the combined set are an animation I can scroll through.

I need a higher order debugger. I'm doing too much shit manually

GOT YOU, YOU SON OF A BITCH! I FOUND YOU.

it's in a function I already found, temporarily named "blit_related".

I guess they don't decode the image until RIGHT before it needs to go up on the screen!

if definitely decompresses and then blits the image as two parts, which aren't evenly sized, and it starts from the bottom

I think they're just trying to keep their RAM usage down by not having both halves in memory at once

wait is this image format vertically interlaced!?

It loads the half-width version, then a few functions later, it's been replaced with a full-width version.
Strange!

wait no, the colors are wrong... I bet I'm seeing it decompress the binary, but that's using the full width of the bytes. it then gets expanded out to a 16-color image.

well the good news is that I think I've found the decompress_image function. the bad news is that now I have to reverse engineer it :(

it's currently doing the obvious thing for a decompressor to do:
write the byte 04 every 69 bytes

oh sweet jesus, that's the left two pixels of the image.
it's loading the image vertically!

at least it's top to bottom.

yeah, doom did that too, but Doom was a 2.5D image that had to do pseudo-raycasting.

THIS GAME DOES NOT

it allocates a 1024 byte buffer, then makes a pointer to the end of it, minus -0x42?

why would you need a link to the end of a new, freshly cleared buffer, minus 62?

I think the memory allocation system here is that every malloc returns 2 extra bytes, which is a pointer to the previous block.
unless it's an odd number, in which case it's a free block. and pointer to the previous block, once you make it even again

I hate dealing with the internals of memory allocation systems. I prefer to leave that to smarter people than me

You see this little About dialog box? Guess how many times the DrawText function is called?

Once! and just to draw "Where in the World is Carmen Sandiego?".
The rest of the text is draw elsewhere, and I have no idea why.

correction: it calls it once to draw "Where in the World is Carmen Sandiego?" but that's unrelated to the one on screen WHAT?

Ahh, it's using a different version of the DrawFont call: DrawFontN

the only problem with using Ghidra to hack children's games instead of, like, Serious Things like firmwares or malware or whatever, is sometimes you have to make a label named NUM_MOUNTAIN_CLIMBING_HINTS

(the number of mountain climbing hints is 3, by the way)

I think I accidentally hacked my debugger

It has a surprisingly robust UI engine. I swapped from BoldFont to SmalFont and the menu adapted perfectly.

The game loads the BoldFont first, then the SmallFont, then the NormalFont.

Annoyingly this isn't how they're laid out in memory:
It's SmallFont, then BoldFont, then NormalFont

Weirdly, swapping the NormalFont for the SmallFont causes the printer text to be VERTICAL, for reasons I do not remotely understand!

font_alloc = malloc(local_a);
if (font_alloc == (void *)0x0) {
font_alloc = (void *)0x0;
}

Ahh yes. remember, if you get a null pointer back from malloc(), make sure to set that variable to NULL so it won't be left as... NULL?

The three fonts

man, running on 4 hours of sleep is killing me.
I can't even remember the MS-DOS interrupt to open a file!

I know reading it is int 21 ah=3f, closing it is int 21 ah=3d, and I'll never forget that seeking is int 21 ah=42, but how do you open a file?
I mean, not the int 21 ax=6c00 way, that one is only for DOS 4.0+, and obviously a game released in 1990 isn't gonna use that.

ahh, now that I've looked it up, it seems I was wrong!
closing isn't 3D, that's 3E! 3D is open!

no wonder I couldn't remember it, I had it confused with another call

looking it up took less than 10 seconds, but that's 10 seconds I'll never get back.

what the fuck do you mean that carmen.dat is opened on the first call to finish_draw_maybe()?

like, I know there's a "maybe" in that name, but it's not THAT big of a maybe.

@scottmichaud hah!
I should get a sticker for my laptop that says "I'd rather be listening to Carly Rae Jepsen's hit 2015 album Emotion than this!"