Analysis of fonts and translation quest 1996 — I Have no Mouth and I Must Scream

All good!


Based on the eponymous novel Harlan Ellison (Harlan Ellison) the game I Have No Mouth and I Must Scream is one of the darkest game ever. Oppressive atmosphere does not let go until the denouement.

In the near future. Three superpowers, USA, Russia and China, each seeking to surpass rivals, has created a supercomputer for warfare. But they have miscalculated. United together, calling themselves the AM, three supercomputer, using the power given to them by people who wiped humanity from the face of the earth. Alive computer leaves only five who will be his toy for endless torture.

The last time I the described 8-bit font, and this time managed to parse 1-bit.
Both of the fonts are not encrypted and not compressed, which greatly simplified the task.

Tools: IDA, dosbox + debugger, winhex, GBS.

KDPW
image

The problem is to find a font among the files.
Clearly, such FONTS, files and folders, there is a resource file scream.res a size of 75.5 MB.
Use Process Monitor (FileMon ex) with a filter on dosbox made the table order of accesses to files, offsets, and sizes.
First started to watch .res file using GBS and ruin the blocks in scream.res in order to call them, found the storage location of the images of fonts:
image


Robin sketched their fonts Arial from taken seem to not have adjusted the width and alignment, but there was confidence that the game can translate the codes of the letters, consistent with cp1251.
Drawing characters will fit perfectly and Excel:


image

Later suggested a great link, comrades of SCUMMVM scratched game, there is a manual.

The font is 1-bit, i.e., one byte can be set to 8 pixels. Multiple bytes form a series. Some series form the height of the obtained memory block (height * length) bytes, or a rectangle resolution (height X (number * 8)).
Visual memory in the game look like this (green and red bars indicate bytes):
image
image

The game uses a small font and R3, R1 box.
the Structure of each font
Header — 1286 bytes, consists of
ITE_FONTHEADER, 6 bytes
INT16, c_height — maximum character height
INT16 c_width — maximum width of the symbol, the parameter is completely unnecessary,
INT16 row_length is the length of the row image of the font (in bytes)

Then 256 bytes, array indices, the indices I equated to cp1251 (AA is the index 192-255).
INT16 index[256] is the byte number at which to start a symbol.

Then 256 bytes, the array of the widths of characters:
BYTE width[256] — character width in pixels, can be any in reasonable limits, from 0 to infinity. Well, to 255 :)

Then 256 bytes, the flag. As I understand it from a series of experiments, he sets the left indent, in pixels.
BYTE flag[256] Unknown character flag (either 0 or 1)

Then 256 bytes are tracking how many pixels of a character rendered. Counting from left to right from 0 to infinity. To one byte.
Tracking BYTE[256] tracking

Following the header is a block of data (row_length * c_height) bytes in length.

Formula access to any beginning of the row:
font_data + (row_length * y)
where font_data — a pointer to the beginning of the font data, y is the row number.

Each character is ((width[index] — 1) / 8) + 1 bytes.


After these data, the artist of the forum gave pretty similar to the original dialog font. The original was reserved all sorts of icons and the umlauts are enough bytes to fit the original and Russian font. In stock in the end even 1 byte that I'm turning down. Wrote a program block copy from BMP, where he painted Russian font in a straight line right to the block of the game.


Began the second font:


Here was a school. The original block was very, very little space, that is, of the set to exclude 14 wacky characters, but this is clearly not enough for 66 Russian letters.

First I tried to play a number of bytes of the row, thinking that the game initialisere the buffer height, and byte range. Looked in winhex that the next block is another font, but it is not used in the game. Reset the unit, increased the length of the number, but received the same set of characters but with a shift. It turned out that the size of the data buffer is written somewhere in other place.
Tried to keep the length of the row unchanged, but the play index.
Nothing I have of all the ploys did not work, getting in the trash. As it turned out, I forgot that at the end of the resource file there is a table of offsets and sizes of blocks needed to play with her and everything would have turned out without patching.the EXE file )

Here I am confuse how dos header to throw out and remove the LE file that I can put in the IDA that it happily recognizes as a 32 bit LE file. Opened the file in winhex found a line "*** NULL assignment detected", and went up to MZ and the beginning of the cut to MZ.
Thank you cracklab.

Then got another problem, how to match the address in dosbox (it looks like a 180:200c61) and the address in IDA (looks like cseg01:0001AC1F) to see where the code is running and to make his analysis. On the SCUMMVM website offered a pretty stupid option, working, but extremely slow. I'm still waiting IDADOS when it will be possible to watch the code in IDA and immediately trace the power of dosbox. But until then... ask IDA to search for a sequence of approximately 10 bytes, what we see in dosbox debuger.
This game turned out to be the formula:
the address in dosbox — 1DFFFE h = address in IDA.

At this point, I was aware of the exact offset of started blocks of fonts and their sizes. Began to look for these numbers in IDA with a simple search, but found nothing.
Then in dosbox debuger asked a interruption for the positioning of the pointer read (int 21h, ah=42h, LSEEK). Before calling in CX:DX must have a value how to move the pointer: (CX * 65536) + DX.

A few jumps found 2 consecutive call to read 2 fonts from the game, not just those that are used.
In DX it was I needed. Rewind back a little and found the initialization block font that looks like this:
mov eax, 6 ( eventually patched to mov eax, 3)
call InitFont
mov eax, 8
call InitFont

just in block 5 and 7 font. Having played different numbers, looked as unused fonts appear in the game:
image
image
image
image

Looked at block sizes of fonts, chose the biggest, moved to block a small font, patched the executable file made from BMP import of Russian letters (bmp 256 colors just one byte equals one pixel, the conversion of a byte in bits comes second), corrected indices, trekking, width and the length of the series, increased per unit height to the letters on the top and bottom are not merged and finally got the final font.
Kept the original symbols, numbers, letters, added a number of Russian letters, including Her.
image
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Car navigation in detail

Изображение
This article is for those who are going in the near future to buy a car Navigator, but lacks information. For example, a typical Navigator Lexand Si-515 Pro HD I will try to elaborate what is now proposed on the market such devices. Also describe the impressions of three of the tested navigation systems, one of which passed in June, about three thousand kilometres through two countries. And at the end of the article will result in a large comparative table 23 current models of navigators Lexand, to show what can be possible in these devices. The choice of now is large enough. Prices and performance, thanks to competition, differ not so strongly. Typically, when buying are interested in the reliability and usability of the device. The functionality and relevance of the cards of 100% define the installed navigation system. It is therefore very important to be able to update it easily, and even better if you can run several different. the Characteristics and sp
Далее...

PostgreSQL: Analytics for DBA

Many users of PostgreSQL know that the server at the time of their work collects a variety of statistics, but not everyone knows that it is useful to analyze and how to extract it. This small Toolkit collected some useful queries that give some idea about how to use this "hidden knowledge", which constantly accumulates. These queries can be used to monitor the status of PostgreSQL (manually or with plugins for monitoring systems like Nagios, Cacti or Zabbix), to search for bottlenecks in the server and many other similar tasks. Remember that this is only the tip of the iceberg; in the documentation you can find descriptions of several dozen system ideas that can also be useful for the PostgreSQL administrator. For correct work need to enable Toolkit options stats_block_level and stats_row_level in postgresql.conf and set the parameter of stats_reset_on_server_start in its sole discretion. If each time you restart the PostgreSQL server you change some important configu
Далее...

Google has launched an online training course advanced search

Изображение
/ > As planned Google today launched training the advanced search. I just received the e-mail. the text of the letter (in English) We're excited to launch the first class of Power Searching with Google! Get started by taking a pre-class assessment and studying the material in the first class: www.powersearchingwithgoogle.com Class 1 available Class 2 available July 11 Class 3 and mid-class assessment available July 12 Hangout on Air with search experts July 13 1:00-1:45pm PDT (add to calendar) Submit questions for search experts: www.google.com/moderator/#16/e=2004ad Mid-class assessment due July 17 at 7:59am PDT (add to calendar) Classes 4-6 available July 17-19 Hangout on Air with search experts July 19 11:00-11:45am PDT (add to calendar) Post-class assessment due July 23 at 4:59pm PDT (add to calendar) Need help? Please join the course staff in the course forum and follow our Google+ page for additional exercises, tips, and tricks!
Далее...