Funny fact: I was trying to get an online assembler to spit out the machine code for "int 1a" but couldn't get it to, so I just went "fuck it, I can probably just do that in my head!"

Turns out I can. My brain is weird.

PRONOUNS DETECTED: THIS GAME IS WOKE

sadly they don't have they/them on here. What about the non-binary criminals, huh?

I think I might be able to do the hack I want by changing one byte.

I'm trying to change it so it has "daily challenges", and I think I can fix that by just switching a INT 1A from subfunction 00 to 04, making it seed the random function with the date instead of the ticks-since-midnight

NORMAL CODE

random(*(byte *)*(undefined2 *)
(*(int *)(*(int *)0x39a6 * 0xe + local_c * 2 + 0x1d02) * 2 +
*(int *)(local_c * 2 + 0x24b)) - 1);

why? because they have strings like:
char* HE="He\0\0She\0"
char* HIS="His\0Hers\0";
char* HIM="Him\0Her\0";

so they can do like:

printf("Follow %s to %s lair, and capture %s alive!", badguy->name, HIS+badguy->gender, HIM+badguy->gender);

why does ghidra's "search by instruction pattern" default to BINARY?
what kind of a freak remembers the machine code for INT 21 on x86 in BINARY?
it's CD21h, not 1100110100100001!

what are you, some kind of nerd?

I love reversing a string and it's:

void printString(char* str, int length);

and I go look what calls it, reverse that function, and it's:

void printStringSimple(char *str){
printString(str, strlen(str));
}

it's like "aww, did someone have second thoughts about making PRINT always take a length, and got tired of having to manually calculate lengths so you just wrapped it?

and your compiler didn't inline SHIT?

so the game uses a pattern like this:
char * RANKS="Rookie\0Sleuth\0Private Eye\0Investigator\0Ace Detective\0"

and then latter they do:

char* your_rank = select_string(RANKS, player->rank);

and select_string is a confusing function to reverse engineer, but knowing the name I gave it gives it away: it advances through the list until it's on the nth string and returns it

Ghidra is officially sexist. It'll automatically detect the word "Female" and mark it as a string, but not the word "Male"!

Why? SEXISM!

or the fact the default minimum length for strings is 5 characters, so "female" is long enough but "male" isn't.

they have invented a Pronoun Markup Language.
It's \x80 for He/She
It's \x81 for he/she
It's \x82 for his/her

so a string will be "\x80 mentioned \x81 liked seafood and offered me a ride in \x82 motorcycle"
and it'll fill it out based on the pronouns of the suspect

in trying to hack myself into the game, it glitched and said I had "Hobby: Male"

no... I haven't done that in ages!

so in addition to the 5 listed attributes (and their name), the game tracks one hidden attribute:

food preference.
There are only two options:
00=Mexican
01=Seafood

what an odd binary

so when the game starts, it loads:
ACME.DAT
CARMEN.DAT
MIDISND.DAT
DIGISND.DAT
CITIES.DAT

Interestingly, it uses the same code to load the last three, suggesting they're some kind of basic container format

this blit function seems to take a useless first argument, a second argument that's the height, a third argument that's the width, and a fourth argument that doesn't seem to do anything.

notice anything missing? like... a lot of things?

this game uses a fun text encoding method: both-ended null terminated!

It stores city names with a nul at the beginning because it reads them backwards. For some fucking reason.

they seek to position X
read 1 byte
read 99 more bytes
then seek to position X+100

now if you know how both math and random access files work, you'll realize something the programmers of Where in the World is Carmen Sandiego? Enhanced (1990, DOS) did not:

THEY'RE SEEKING TO THE POSITION THEY'RE ALREADY AT

the way this game does the investigations is interesting.
so the basic gameplay is that you're in location X, you get 3 hints, which lead you to location Y, where the whole process repeats.

But if you savescum to experience the same pursuit again, they'll always go through the same places... but if you don't get the hints, they won't be there.

Hah! the game apparently calculates some info ahead of time, but only a few steps. I changed who the suspect was by memory editing, and it didn't take effect... until I got to the third location.

Since I went from a robbery by Fast Eddie B to one by Merey LaRoc, it means the pronouns changed when I got to London.

Congrats on coming out as a trans woman, Merey.

ahh good. it's always fun to find code that looks like:
do{

while(variable!=0);

some one has a custom tick handler that's permutating a global!

looking at interrupts, and I think I found a bug.
they set handlers for various CPU errors, but they accidentally set 10 (COPROCESSOR ERROR) twice, instead of the 05 (BOUND check)/10 (COPRPOCESSOR) interrupts they save

someone copy-pasted and missed a bit

I finally found the two helper functions they use to get and set vectors!

all the 30 other places I've seen them set/get vectors, they do it manually, but hey, maybe they use the helpers too

cities.dat is very interesting. There's 30 cities in total, but 491 entries in it!

So they must be doing something odd there, that doesn't divide equally. Maybe one city-chunk gives IDs of the others?

darn. turns out you can't just renumber the chunks, because they have to be in increasing order.

so maybe I just need to leave the chunk indexes as is, and instead of moving the entries around, I move where they're pointing?

Bingo! I'm in Athens, but I'm seeing the image for Baghdad, and apparently with the Baghdad palette?

So one of these other chunks must be the palette for a city. Or it selects from a selection of palettes? Maybe they've just got a couple defined.

okay I figured out the cities.dat IDs:

They're all 1XXYY (in decimal):
XX is the city number (0-29), YY is the sub-chunk-id.

So like:
YY=0: City name
YY=2: City image.

They go between 00 and 22, and not all numbers need to be present.

hmm, reading a buffer and then summing all the values of the bytes in it.

suspicious behavior.

found a suspicious array, which goes:
[
(-1,0),
(-1,1),
(0,1),
(1,1),
(1,0),
(1,-1),
(0, -1),
(-1,-1),
(0,0)
]

POP QUIZ: why does the font renderer need this array? how are they being "lazy" with this array?

Sensitive content Click to open/close

Sensitive content Click to open/close

The Answer to the DRM questions for Where in the world is Carmen Sandiego? Enhanced (DOS, 1990) are, in no particular order:

23
Kent
dragon
calcium
1796
Warren
revenue
1792
Willard
1937
Crater
Tanzania
Hartford
Duluth
London
Gem
Silent
squeaker

if ((0x80 >> ((byte)local_4 & 7) &
(int)(char)*(byte *)((int)((int *)param_1 + 1) + (local_4 >> 3))) != 0) {

COULD YOU USE SOME MORE CASTS MAYBE?

oh it's because ghidra's near/far pointer support is shit.

I had param2 defined as a byte*32 and it was casting it to a byte* before using it