-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindow.txt
78 lines (54 loc) · 2.52 KB
/
window.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
The mouse's x position, /8, is stored in EDX. The window pops up at the mouse's location. So look for something that uses that value, and maybe that value plus 4?
More specifically, the x value in pixels is stored in EDI.
Look for a4?
EDI gets rewritten by something else before the breakpoint is hit, so look for it being restored somewhere
y value in pixels is stored in the stack, at memory address 2a77e.
1076:3b2a 83c404 add sp, +04 ; more related to the stack than anything
whoops, dx got xor dx, dx'd.
Also look for 0x20, the space for four characters
The window isn't written all at once. r-------7, then half a line of white space, then the rest of the line of white space
(Half a line of white space = one full line of white space in the smaller window.)
Sides are 8px wide
Replaced tons of 20's with 30's: didn't work
Replaced tons of 30's with 40's: didn't work
18f92 is a good thing to breakpoint for some code that draws the window.
The line that adds +50 to di is telling it where in VRAM to draw some white pixels
So how to find the outer loop that tells it to draw more columns?
1076:3e20 8b46fc mov ax, [bp-04] (= 6)d
1076:3e23 05feff add ax, fffe (= 4)
1076:3e26 3b46fe cmp ax, [bp-02] (9a is indeed > 4)
1076:3e29 7fe4 jg 3e0f (jump executes)
Then do some stuff and call 183c:0b89.
3eb1 8b46fa mov ax, [bp-06] (= 8?)
3eb4 05fcff add ax, fffc ( = 4)
3eb7 3bc7 cmp ax, di (04 > 00)
3eb9 7f9c jg 3e57
1076:3dce cmp ax (02), di (01)
1076:3dd0 7fe7 jg 3db9
Then do some stuff and call 183c:0b89.
After the second breakpoint of reading the commmand str:
1076:3b3e c6061626ff mov [2616], ff
3b43 mov [bp-04], 6
3b48 mov [bp-06], 8
jmp 3d08
Anything analogous for the larger window?
1076:3b74 mov [2601], ff
3b79 mov [bp-04], a
3b7e mov [bp-06], 6
The actual hack:
Change 1076:3b46 from 6 to b (or maybe larger?)
Change 1076:3b7b from a to c
segment 1076 is 6ff0 in CR1.EXE.
So those two addresses are ab36 and ab6c.
There are duplicates of those two mov commands elsewhere: afb1 and afbd.
These control the window-close code, so they should be changed here too.
Now, as for the window highlighting code:
The width of both highlights is at 2a742.
This is really just a value in the stack though. (1a79:ffb2 == 2a742)
So how did it get there?
1076:3843 c746fa0400 mov [bp-06], 4 ; located at 0xa836
1076:3848 c746f80300 mov [bp-08], 3
1076:384f c746fa0800 mov [bp-06], 8 ; is this the second menu width? (yes)
1076:3877 c746fa0800 mov [bp-06], 8 ; or is this? (dunno what this is) a842
Look for:
c746fa0600