;#################################################### ; ; Analysis of the PINBALL!bdoor_controller function ; from MS Windows Pinball. ; ; By Mr Speaker ; mrspeaker@gmail.com ; mrspeaker.net ; ; I've find-replaced these to take up less space: ; ; PINBALL!pbctrl_bdoor_controller = back_door ; PINBALL!edge_manager = edge_man ; PINBALL!sound_count = sound ; ;#################################################### 0100e1b0 mov edi,edi ; Okay, I don't know whats going on at the 0100e1b2 push ebp ; start here. Who cares eh... 0100e1b3 mov ebp,esp 0100e1b5 mov eax,[sound+0x4e4 (01023bbc)] 0100e1ba push esi ; Actually, i think it checks if you are 0100e1bb xor esi,esi ; already in cheat mode, then don't bother 0100e1bd cmp [eax+0x6],esi ; checking this routing, just jump straight to 0100e1c0 jne back_door+0x351 (0100e501) ; Return ; Okay... were into it now... 0100e1c6 mov eax,[ebp+0x8] ; Load the key code value (parameter ebp+08) 0100e1c9 cmp eax,0x4d ; Compare with "M" (0x4d) 0100e1cc jnle back_door+0x1cf (0100e37f) ; Jmp if greater than "M" 0100e1d2 je back_door+0x19e (0100e34e) ; Jmp if it is "M" 0100e1d8 cmp eax,0x44 ; Compare with "D" (0x44) 0100e1db jnle back_door+0x11c (0100e2cc) ; Jmp if greater than "D" (and less than "M") 0100e1e1 je back_door+0xfd (0100e2ad) ; Jmp if it is "D" 0100e1e7 sub eax,0x20 ; (Subtract 0x20 from key code. if its 0 then...) 0100e1ea je back_door+0xe1 (0100e291) ; Is it a space? 0100e1f0 sub eax,0x11 ; (Subtract 0x10 - that would mean...) 0100e1f3 je back_door+0xcd (0100e27d) ; Is it a "1"? 0100e1f9 sub eax,0x10 ; (subtract another 0x10... it would be...) 0100e1fc jz back_door+0x9c (0100e24c) ; Jmp if its "A" (x41) 0100e1fe dec eax ; (and so on...They do this "subtracting" method alot) 0100e1ff jz back_door+0x88 (0100e238) ; Jmp if its "B" (x42) 0100e201 dec eax 0100e202 jne back_door+0x302 (0100e4b2) ; Reset/Return if its not "C" (x43) ; The counter is what keeps track of the "cheat" word. ; For example, for the first word that starts here, typing "c" will set the ; counter to 1. If the next key you press is "i", then it goes down to ; line 0100e2df below. This compares the counter with 1. If it is (which it is), then ; it increments the counter to 2. So if you find where the counter is compared ; to the number 2, you can trace it back and find which character will make ; it get to that compare. In this case it's "n" - 'cause it makes up the ; word "cinematronics." - These guys made the game, but this cheat does nothing (i think) 0100e208 mov eax,[edge_man+0x14 (01025050)] ; *Get Counter* (its "c") 0100e20d cmp eax,esi ; Is it the first "C" in string? 0100e20f jnz back_door+0x70 (0100e220) ; Nope: (jump to else) 0100e211 mov dword ptr [edge_man+0x14 (01025050)],0x1 ; Yep: Set counter to 0x1 0100e21b jmp back_door+0x351 (0100e501) ; Return ; Else 0100e220 cmp eax,0xb ; Is counter = 11? 0100e223 jne back_door+0x302 (0100e4b2) ; No: Reset counter to 0 and return 0100e229 mov dword ptr [edge_man+0x14 (01025050)],0xc ; Yep: counter increments to 12 0100e233 jmp back_door+0x351 (0100e501) ; Return ; ******* Start of cheat - get here by key "B" ******* 0100e238 mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e23d neg eax ; Clear counter 0100e23f sbb eax,eax ; 0100e241 and eax,0xffffffaf ; 0100e244 add eax,0x51 ; Set counter to 81 (0x51) 0100e247 jmp back_door+0x34c (0100e4fc) ; Store the counter and return ; More counter checking... 0100e24c mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e251 cmp eax,0x5 0100e254 je back_door+0x34b (0100e4fb) ; counter++ if counter = 5 0100e25a cmp eax,0x3e 0100e25d je back_door+0x34b (0100e4fb) ; counter++ if counter = 62 (x3e) 0100e263 cmp eax,0x52 0100e266 je back_door+0x34b (0100e4fb) ; counter++ if counter = 82 (x52) 0100e26c cmp eax,0x66 0100e26f je back_door+0x34b (0100e4fb) ; counter++ if counter = 102 (x66) 0100e275 cmp eax,0x7a 0100e278 jmp back_door+0x349 (0100e4f9) ; Is counter 122 on jump? Yep: Counter++ No : Counter = 0 ; ******* Start of cheat - get here by key "1" ******** "1MAX" : table_add_extra_ball 0100e27d mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e282 neg eax ; Clear counter 0100e284 sbb eax,eax ; 0100e286 and eax,0xffffffc3 ; 0100e289 add eax,0x3d ; Set Counter to 61 0100e28c jmp back_door+0x34c (0100e4fc) ; Store counter and return ; more counter checking 0100e291 cmp dword ptr [edge_man+0x14 (01025050)],0x1a 0100e298 jne back_door+0x302 (0100e4b2) ; Reset/Return not if counter = 26 0100e29e mov dword ptr [edge_man+0x14 (01025050)],0x1b ; Increment counter to 27 0100e2a8 jmp back_door+0x351 (0100e501) ; Return 0100e2ad cmp dword ptr [edge_man+0x14 (01025050)],0x16 0100e2b4 je back_door+0x24b (0100e3fb) ; counter++ if counter = 22 0100e2ba cmp dword ptr [edge_man+0x14 (01025050)],0x17 0100e2c1 je back_door+0x24b (0100e3fb) ; counter++ if counter = 23 0100e2c7 jmp back_door+0x302 (0100e4b2) ; Reset/Return ; More key checking 0100e2cc sub eax,0x45 0100e2cf jz back_door+0x176 (0100e326) ; Jmp if "E" 0100e2d1 dec eax 0100e2d2 dec eax 0100e2d3 jz back_door+0x162 (0100e312) ; Jmp if its "G" (0x47) 0100e2d5 dec eax 0100e2d6 jz back_door+0x14e (0100e2fe) ; Jmp if its "H" (0x48) 0100e2d8 dec eax 0100e2d9 jne back_door+0x302 (0100e4b2) ; Reset/Return if not "I" (0x49) ; More counter checking 0100e2df mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e2e4 cmp eax,0x1 0100e2e7 je back_door+0x34b (0100e4fb) ; counter++ if counter = 1 0100e2ed cmp eax,0xa 0100e2f0 je back_door+0x34b (0100e4fb) ; counter++ if counter = 10 0100e2f6 cmp eax,0x15 0100e2f9 jmp back_door+0x349 (0100e4f9) ; Is counter 21 on jump? ; YES: counter++ ; NO: counter = 0 ; ******* Start of cheat - get here by key "H" ******* : "HIDDEN TEST" : cheat_mode = 1 0100e2fe mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e303 neg eax ; Reset counter to 0 0100e305 sbb eax,eax ; and, um 0100e307 and eax,0xffffffeb ; stuff. 0100e30a add eax,0x15 ; Sets Counter to 21 0100e30d jmp back_door+0x34c (0100e4fc) ; Store counter and return ; ******* Start of cheat -get here by key "G" ******* - start of "GMAX" : GravityWellKickoutControl 0100e312 mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e317 neg eax ; 0100e319 sbb eax,eax ; 0100e31b and eax,0xffffff9b ; 0100e31e add eax,0x65 ; Set Counter to 101 0100e321 jmp back_door+0x34c (0100e4fc) ; Store counter and return ; More counter checking 0100e326 mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e32b cmp eax,0x3 0100e32e je back_door+0x34b (0100e4fb) ; counter++ if counter = 3 0100e334 cmp eax,0x18 0100e337 je back_door+0x34b (0100e4fb) ; counter++ if counter = 24 0100e33d cmp eax,0x1c 0100e340 je back_door+0x34b (0100e4fb) ; counter++ if counter = 28 0100e346 cmp eax,0x2c 0100e349 jmp back_door+0x349 (0100e4f9) ; Is counter 44 on jump? ; YES: counter++ ; NO: counter =0 ; Still more counter checking 0100e34e mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e353 cmp eax,0x4 0100e356 je back_door+0x34b (0100e4fb) ; counter++ if counter = 4 0100e35c cmp eax,0x3d 0100e35f je back_door+0x34b (0100e4fb) ; counter++ if counter = 61 0100e365 cmp eax,0x51 0100e368 je back_door+0x34b (0100e4fb) ; counter++ if counter = 81 0100e36e cmp eax,0x65 0100e371 je back_door+0x34b (0100e4fb) ; counter++ if counter = 101 0100e377 cmp eax,0x79 0100e37a jmp back_door+0x349 (0100e4f9) ; Is counter 121 on jump? ; YES: counter++ ; NO: counter =0 ; More key checking... 0100e37f cmp eax,0x53 ; Is it "S"? (0x53) 0100e382 jnle back_door+0x294 (0100e444) ; Greater than "S" 0100e388 je back_door+0x275 (0100e425) ; Equals "S" 0100e38e sub eax,0x4e 0100e391 jz back_door+0x256 (0100e406) ; Jmp if "N" (0x4e) 0100e393 dec eax 0100e394 jz back_door+0x235 (0100e3e5) ; Jmp if "O" (x4f) 0100e396 dec eax 0100e397 dec eax 0100e398 jz back_door+0x221 (0100e3d1) ; Jmp if "Q" (x51) 0100e39a dec eax 0100e39b jne back_door+0x302 (0100e4b2) ; Reset/Return if not "R" (x52) ; ******* Start of cheat - get here by key "R" ******* "rmax" = bump rank 0100e3a1 mov eax,[edge_man+0x14 (01025050)] ; *Get Counter* (its "r") 0100e3a6 cmp eax,esi ; Is it the first "r" in string? 0100e3a8 jnz back_door+0x209 (0100e3b9) ; Nope: (jump to else) 0100e3aa mov dword ptr [edge_man+0x14 (01025050)],0x79 ; Yep: Set counter = 121 0100e3b4 jmp back_door+0x351 (0100e501) ; Return ; Else 0100e3b9 cmp eax,0x7 ; Is counter = 7? 0100e3bc jne back_door+0x302 (0100e4b2) ; No: Reset/Return 0100e3c2 mov dword ptr [edge_man+0x14 (01025050)],0x8 ; Yep: counter = 8 0100e3cc jmp back_door+0x351 (0100e501) ; Return ; ******* Start of cheat - get here by key "Q" ******* "QUOTES" - does nothing 0100e3d1 mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e3d6 neg eax ; Reset counter 0100e3d8 sbb eax,eax ; 0100e3da and eax,0xffffffd7 ; 0100e3dd add eax,0x29 ; Set counter to 41 0100e3e0 jmp back_door+0x34c (0100e4fc) ; Store counter and return ; more counter checking 0100e3e5 cmp dword ptr [edge_man+0x14 (01025050)],0x8 0100e3ec jz back_door+0x24b (0100e3fb) ; counter++ if counter = 8 0100e3ee cmp dword ptr [edge_man+0x14 (01025050)],0x2a 0100e3f5 jne back_door+0x302 (0100e4b2) ; Reset/Return if not counter = 42 ; checking places come here to increment the counter, then return... 0100e3fb inc dword ptr [edge_man+0x14 (01025050)] ; counter++ 0100e401 jmp back_door+0x351 (0100e501) ; Return ; And more counter checking 0100e406 mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e40b cmp eax,0x2 0100e40e je back_door+0x34b (0100e4fb) ; counter++ if counter = 2 0100e414 cmp eax,0x9 0100e417 je back_door+0x34b (0100e4fb) ; counter++ if counter = 9 0100e41d cmp eax,0x19 0100e420 jmp back_door+0x349 (0100e4f9) ; Is counter 25 on jump? ; YES: counter++ ; NO: counter =0 ; And more counter checking 0100e425 mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e42a cmp eax,0xc 0100e42d je back_door+0x34b (0100e4fb) ; counter++ if counter = 12 0100e433 cmp eax,0x1d 0100e436 je back_door+0x34b (0100e4fb) ; counter++ if counter = 29 0100e43c cmp eax,0x2d 0100e43f jmp back_door+0x349 (0100e4f9) ; Is counter 45 on jump? ; YES: counter++ ; NO: counter = 0 ; More character checking 0100e444 sub eax,0x54 0100e447 je back_door+0x31f (0100e4cf) ; Jmp if "T" (0x54) 0100e44d dec eax 0100e44e jz back_door+0x30a (0100e4ba) ; Jmp if its "U" (x55) 0100e450 sub eax,0x3 0100e453 jz back_door+0x2b3 (0100e463) ; Jmp if its "X" (x58) 0100e455 sub eax,0x66 0100e458 jnz back_door+0x302 (0100e4b2) ; Reset/Return if not 0xBE (maybe ".") 0100e45a cmp dword ptr [edge_man+0x14 (01025050)],0xd 0100e461 jmp back_door+0x302 (0100e4b2) ; Reset/Return /* NOTE: This looks wierd - seems like it WAS a cheat, but now the cmp is never checked. and the cheat was "CINEMATRONICS." - but once you type it in, it ends up just reseting the counter to 0. Poo. */ ; More counter checking, but nearly at free ball! 0100e463 mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e468 cmp eax,0x3f 0100e46b jnz back_door+0x2ce (0100e47e) ; Jmp if counter not 63 (x3f) 0100e46d fld dword ptr [PINBALL!_real (01002374)] ; Else, Extra Ball... 0100e473 push ecx 0100e474 fstp dword ptr [esp] 0100e477 call PINBALL!table_add_extra_ball (0100c2f3) ; Woo! 0100e47c jmp back_door+0x2f6 (0100e4a6) 0100e47e cmp eax,0x53 0100e481 jnz back_door+0x2dd (0100e48d) ; jmp if not counter = 83 0100e483 xor eax,eax ; - whats going on here? 0100e485 inc eax 0100e486 mov [edge_man+0x8 (01025044)],eax 0100e48b jmp back_door+0x331 (0100e4e1) 0100e48d cmp eax,0x67 0100e490 jnz back_door+0xc (0100e49c) ; jmp if not counter = 103 0100e492 push esi ; End of "Gravity Well" cheat... 0100e493 push 0x40 0100e495 call PINBALL!GravityWellKickoutControl (0100dd7a) 0100e49a jmp back_door+0x2f6 (0100e4a6) ; something, then reset/return 0100e49c cmp eax,0x7b 0100e49f jnz back_door+0x302 (0100e4b2) ; Reset/Return if counter != 123 (x7b) 0100e4a1 call PINBALL!cheat_bump_rank (0100e111) ; Else, Bump Rank 0100e4a6 mov eax,[edge_man+0x4 (01025040)] ; What does this do? 0100e4ab mov dword ptr [eax+0x3e],0x1 0100e4b2 mov [edge_man+0x14 (01025050)],esi ; Reset Counter to 0 0100e4b8 jmp back_door+0x351 (0100e501) ; Return ; More counter checking 0100e4ba cmp dword ptr [edge_man+0x14 (01025050)],0x29 0100e4c1 jnz back_door+0x302 (0100e4b2) ; Reset/Return if not counter = 41 0100e4c3 mov dword ptr [edge_man+0x14 (01025050)],0x2a ; Set counter = 42 0100e4cd jmp back_door+0x351 (0100e501) ; Return ; Alright... nearly at cheat mode bit... 0100e4cf mov eax,[edge_man+0x14 (01025050)] ; Get Counter 0100e4d4 cmp eax,0x1e 0100e4d7 jnz back_door+0x33c (0100e4ec) ; Jmp if counter not 30 (x1e) ; Else... 0100e4d9 xor eax,eax ; Set cheatmode on! 0100e4db inc eax 0100e4dc mov [PINBALL!cheat_mode (01024ff8)],eax ; Cheatmode = 1! 0100e4e1 mov ecx,[edge_man+0x4 (01025040)] ; What does this do? 0100e4e7 mov [ecx+0x3e],eax 0100e4ea jmp back_door+0x302 (0100e4b2) ; jmp to reset/return... ; More counter checking 0100e4ec cmp eax,0x1b 0100e4ef jz back_door+0x34b (0100e4fb) ; counter++ if counter = 27 0100e4f1 cmp eax,0x6 0100e4f4 jz back_door+0x34b (0100e4fb) ; counter++ if counter = 6 0100e4f6 cmp eax,0x2b ; compare with 43... 0100e4f9 jnz back_door+0x302 (0100e4b2) ; Reset/Return if not value ; Increment counter and get out... 0100e4fb inc eax ; Counter++ 0100e4fc mov [edge_man+0x14 (01025050)],eax ; Store Counter ; There we go... end of the function... 0100e501 pop esi 0100e502 pop ebp 0100e503 ret 0x4 ; We outta here.