289 lines
No EOL
19 KiB
Markdown
289 lines
No EOL
19 KiB
Markdown
# Spanish `CRUSADER.EXE` Cheat / Debug Differences
|
|
|
|
This note records a focused live-Ghidra pass over the Spanish executable opened from `/es/CRUSADER.EXE` and compares the known English cheat/debug control areas against the Spanish build.
|
|
|
|
## Scope
|
|
|
|
- Target analyzed in Ghidra MCP: `/es/CRUSADER.EXE`
|
|
- Comparison baseline: live English `CRUSADER.EXE` findings already recorded in [docs/ne-segment1.md](docs/ne-segment1.md)
|
|
- Goal: determine whether the Spanish executable changes the known `-laurie`, cheat-gate, F10, `Ctrl+Q`, Hack Mover, and secret-sequence lanes enough to support claims about different cheat behavior
|
|
|
|
## Summary
|
|
|
|
Current best read: the Spanish executable does **not** show a materially different cheat/debug framework in the known control areas.
|
|
|
|
What changed is mostly address placement, not behavior:
|
|
|
|
- the broad cheat/debug gate, gameplay-input gate, and low-level keyboard-cheat latch all still exist
|
|
- the same hidden/debug event lanes are still present behind the broad gate
|
|
- the `-laurie` parser still exists and still uses English-facing text
|
|
- the Laurie hint string and multiple cheat/debug status strings are still English in the Spanish build
|
|
- the `Ctrl+Q` lane is still the CD transfer display toggle, not the immortality toggle
|
|
- the Hack Mover toggle lane is still present
|
|
|
|
What is **not** yet proven from this pass is the exact secret scan-code matcher table. No replacement secret sequence was recovered in the known cheat areas, but the secret-sequence table itself was not directly pinned down in this Spanish session.
|
|
|
|
## Verified Spanish Mapping
|
|
|
|
### Master Cheat / Debug Gate
|
|
|
|
- `1478:0910` is the Spanish build's broad cheat/debug master gate.
|
|
- It is written by the `-laurie` parser at `1050:0985`.
|
|
- It is read by the same large hidden/debug event handler family inside `World_HandleKeyboardInput` at `13e8:14b4`.
|
|
|
|
Recovered gated case sites include:
|
|
|
|
- `13e8:19da`
|
|
- `13e8:1a0a`
|
|
- `13e8:1a36`
|
|
- `13e8:2211`
|
|
- `13e8:243c`
|
|
- `13e8:24a5`
|
|
|
|
This matches the English-side model where one broad master gate enables several hidden/debug event handlers.
|
|
|
|
### Gameplay Input / Option-Key Gate
|
|
|
|
- `1478:0927` is the gameplay-input / option-key gate in the Spanish build.
|
|
- It is set during `Game_Start` at `1028:0127`.
|
|
- It is cleared in `ComputerGump_CreateGump` at `13a0:01f5`.
|
|
- It is restored at `13a0:0233` during the paired computer-gump teardown path.
|
|
|
|
This is the same structural role already established in the English build: broader gameplay-input eligibility, not a separate cheat-state bit.
|
|
|
|
### Low-Level Keyboard Cheat Latch
|
|
|
|
- `1478:5fb3` is the Spanish build's low-level keyboard-cheat latch.
|
|
- It is read repeatedly from `13e8:14b4` in the same family of keyboard/debug checks.
|
|
- Helper setters at `13e8:0071` and `13e8:0077` write `1` and `0` respectively, and are called from the Laurie-hint/computer-gump-side helper `13e8:0e31` setup path.
|
|
|
|
This no longer supports the older English-side `-laurie` plus `~` model by itself. The current Spanish pass found repeated **reads** of `1478:5fb3`, but still no recovered runtime writer inside the normal keyboard handler family. The only recovered writes remain the tiny `13e8:0071/0077` helpers, and `13e8:0e31` calls them back-to-back inside the Laurie hint path.
|
|
|
|
Current safest read is therefore narrower: `1478:5fb3` is still a real gate byte in the Spanish keyboard/debug family, but the live Spanish session does **not** currently show the English-style runtime `~` toggle path that would make `-laurie` plus tilde a proven bootstrap for the broader keyboard-cheat state.
|
|
|
|
## Verified Hidden / Debug Event Lanes
|
|
|
|
### CD Transfer Display (`Ctrl+Q` Family)
|
|
|
|
The Spanish build still preserves the English-side `Ctrl+Q` conclusion:
|
|
|
|
- `13e8:2211` is the `0x410` event lane under the broad gate at `1478:0910`
|
|
- it toggles byte `1478:5fb7`
|
|
- it posts the same English strings:
|
|
- `1478:6022` = `CD TRANSFER DISPLAY ACTIVE.`
|
|
- `1478:603e` = `CD TRANSFER DISPLAY INACTIVE.`
|
|
|
|
That is consistent with the English analysis: this lane is still CD transfer display state, not immortality.
|
|
|
|
### Hack Mover
|
|
|
|
The Spanish build still preserves the Hack Mover toggle lane:
|
|
|
|
- `13e8:249b` first requires `1478:8ad6 != 0`
|
|
- `13e8:24a5` toggles byte `1478:5fb2`
|
|
- it posts:
|
|
- `1478:605c` = `HACK MOVER ON`
|
|
- `1478:606a` = `HACK MOVER OFF`
|
|
|
|
The compiled runtime chain is now tighter too:
|
|
|
|
- `1478:5fb2` is the actual Hack Mover on/off toggle, not the unresolved unlock byte
|
|
- `13e8:0ef9` and `13e8:0f77` both clear `1478:5fb2`, so normal modal/setup helpers can forcibly shut the feature back off
|
|
- `13e8:282f` is the adjacent runtime helper that watches `1478:5fb2`, uses temp/state byte `1478:8ad9`, and can transition into the active move setup at `13e8:2f0e`
|
|
- `13e8:2f0e` captures cursor-to-object offsets into `1478:8acc` / `1478:8ace` and sets `1478:8ac0 = 1`
|
|
- `13e8:3009` is the paired cleanup path that clears `1478:8ac0`
|
|
|
|
So the live compiled split is now:
|
|
|
|
- `1478:8ad6` = unresolved precondition / unlock gate
|
|
- `1478:0910` = broad `-laurie` gate
|
|
- `1478:5fb2` = Hack Mover active toggle
|
|
- `1478:8ac0`, `1478:8acc`, `1478:8ace`, `1478:8ad9` = downstream runtime state after Hack Mover is already on
|
|
|
|
So Hack Mover remains present and still uses English-facing status strings in this localized executable.
|
|
|
|
That extra `1478:8ad6` pre-check matters. In the English build, Hack Mover was already strongest as a two-latch feature: it wanted the broader Laurie/debug gate plus a second post-sequence latch. The Spanish build still shows that same two-stage shape at the branch level, even though the exact sequence writer has not yet been re-identified.
|
|
|
|
### Overlay / Hidden Debug Toggles
|
|
|
|
The Spanish build keeps the same broad gated overlay/debug cases:
|
|
|
|
- `13e8:19da` toggles byte `1478:0f40`
|
|
- `13e8:1a0a` toggles byte `1478:2be7`
|
|
- `13e8:1a36` toggles byte `1478:2be8`
|
|
|
|
These are the same structural hidden/debug lanes already identified in the English build.
|
|
|
|
## Laurie Path
|
|
|
|
The Laurie hint path is still present and still English-texted:
|
|
|
|
- `13e8:0e31` is the Laurie-hint computer-gump path in the Spanish build
|
|
- `1478:5fc6` still contains `FART ...TRY... -laurie (Have fun, Jely)`
|
|
|
|
The startup-side cheat text also remains English:
|
|
|
|
- `1478:0b45` = `Cheats are active.`
|
|
|
|
This is strong evidence against any broad localization-driven rewrite of the cheat/debug feature family.
|
|
|
|
The command-line side is also tighter now:
|
|
|
|
- `CommandLineArg_HandleLaurie` at `1050:093d` is the only recovered live writer of `1478:0910`
|
|
- no second non-`-laurie` writer of the broad gate was recovered in this Spanish pass
|
|
|
|
So `-laurie` still clearly enables the broad Spanish debug/event framework, but current live evidence does **not** show a second hidden input path that also raises that gate the way the English `jassica16` matcher does.
|
|
|
|
## F10 / Option-Key Side
|
|
|
|
The Spanish executable's option-key handler moved relative to the English live notes:
|
|
|
|
- the relevant function object lives at `1138:0896` in this build, not the English-side `1130:0896`
|
|
|
|
But the structure is still familiar:
|
|
|
|
- it checks gameplay-input state through `1478:0927`
|
|
- it reads surrounding controller/current-NPC state from the same neighborhood used by the English build
|
|
- the wider controller family around `1138:0896` / `1138:0b2d` / `1138:0d34` still looks like the same option-key and movement/control subsystem, just relocated
|
|
|
|
This pass did **not** fully re-close the Spanish F10 immortality leaf the way the English build is already documented, but there is no recovered evidence here that the Spanish build replaced the F10 cheat/control family with a different system.
|
|
|
|
Follow-up tightening on that question now makes the old English comparison weaker rather than stronger:
|
|
|
|
- the old English immortality-string slots at `1478:2850` / `1478:2866` are **not strings** in `/es/CRUSADER.EXE`; live bytes there are now pointer-like words, not `"Immortality disabled."` / `"Immortality enabled."`
|
|
- MCP data-use queries on those two Spanish addresses returned no code uses at all
|
|
- no explicit scan-code `0x44` F10 comparison was recovered in the currently identified Spanish gameplay-input handlers during this pass
|
|
|
|
Current safest Spanish-side answer is therefore narrower than the English build:
|
|
|
|
- the Spanish executable still preserves the broad Laurie/debug family
|
|
- but this pass still did **not** recover a direct Spanish equivalent of the English `F10` restore/refill branch or the modifier-gated immortality leaf
|
|
- so the old English `F10` health-replenish folklore should currently be treated as **unproven in `/es/CRUSADER.EXE`**, not as a still-confirmed surviving cheat path
|
|
|
|
## Secret Sequence Status
|
|
|
|
This pass now closes part of the Spanish-side uncertainty more tightly: the live Spanish build does **not** preserve the English `jassica16` scan-code table as a static data object in the obvious old locations.
|
|
|
|
Direct live byte-scan results against `/es/CRUSADER.EXE`:
|
|
|
|
- the exact English table `24 1e 1f 1f 17 2e 1e 02 07 00` was **not** found anywhere in initialized data `1478:0000-8c3f`
|
|
- the same exact table was **not** found in BSS / secondary data `1480:0000-1fff`
|
|
- even the shorter `jassica` scan-code prefix `24 1e 1f 1f 17 2e 1e` was absent from both of those Spanish data segments
|
|
- the old English-side matcher slot at `1478:2833` no longer contains the sequence bytes at all; it now reads as pointer-like words beginning `14 e8 11 3d 14 e8 11 02 05 28 10 ...`
|
|
|
|
What can be said safely:
|
|
|
|
- no alternate replacement secret sequence was recovered yet
|
|
- the English `jassica16` static data table is not present in the live Spanish data map where the English build keeps it
|
|
- the same surrounding cheat/debug framework remains intact
|
|
- the same `-laurie` parser, Laurie hint path, CD-transfer-display lane, Hack Mover lane, and broad hidden/debug gated event family all survive in recognizably the same form
|
|
- Hack Mover still has a second hidden precondition via `1478:8ad6` in addition to the broad gate at `1478:0910`, which is consistent with the Spanish build still retaining some post-sequence-style latch
|
|
|
|
Additional live xref evidence from the current Spanish-only pass narrows that further:
|
|
|
|
- `1478:0910` currently has only one recovered write in the live Spanish database: the `-laurie` parser at `1050:0985`. All other recovered uses are reads in the normal cheat/debug handler family.
|
|
- `1478:5fb3` currently has only two recovered writes: `13e8:0071` and `13e8:0077`, and both helpers are only called from the Laurie-hint/computer-gump helper `13e8:0e31`.
|
|
- `1478:8ad6` currently has only one recovered direct use: the Hack Mover pre-check at `13e8:249b`. No direct writer was recovered through MCP xrefs, data-use scans, or operand scans in this session.
|
|
- the nearby state cluster does not currently explain that byte either: `1478:8ad7` and `1478:8ad8` are written by the gameplay-input modal helpers `13e8:0e7d` / `13e8:0ef9`, and `1478:8ad9` is the live temp/state slot used by the Hack-Mover-adjacent runtime helper `13e8:282f`; but none of those neighboring compiled writes touch `1478:8ad6`
|
|
- One explicit multi-key helper still exists in the Spanish build, `11d0:024b`, but decompilation shows it is only a vararg `is current key in this list?` helper. Its only recovered caller in this session is the movement/control cluster at `1138:1b13`, not a cheat-toggle lane.
|
|
- Full decompilation of `World_HandleKeyboardInput` (`13e8:14b4`) did **not** recover any translated `~` / `0x7e` runtime toggle branch. The visible cheat/debug lanes still cover the broad `1478:0910`-gated overlay/CD/Hack-Mover family, but no Spanish equivalent of the English `event_0x7e_cheat_latch_runtime_toggle` was recovered.
|
|
|
|
That matters because it removes one easy false positive: the Spanish build still has generic key-list helpers, but the current live evidence does **not** tie any of them to a replacement `jassica16`-style cheat matcher.
|
|
|
|
So the live evidence now splits cleanly into two layers:
|
|
|
|
- the **framework** still matches the English cheat/debug family
|
|
- the **exact English `jassica16` data table** does not survive as the same static table in this Spanish target
|
|
|
|
Current best read:
|
|
|
|
- the online claim that the Spanish build still uses the exact same static `jassica16` table is **not** supported by the live Spanish data-segment bytes
|
|
- this pass still does not prove a replacement code
|
|
- but the live xref picture is now narrower than before: no recovered Spanish writer currently toggles the broad gate `1478:0910`, the keyboard-cheat latch `1478:5fb3`, or the Hack Mover pre-latch `1478:8ad6` in a way that looks like a hidden input-sequence success path
|
|
- current best working hypothesis is therefore no longer "same framework, unknown moved matcher" by default; it is now `same surrounding cheat/debug framework, but no recovered compiled Spanish replacement for the English jassica16 byte matcher`
|
|
- the same correction now applies to the practical `-laurie` plus tilde folklore too: current live Spanish evidence does **not** support a surviving translated `~` cheat-latch toggle, so the old English-side `-laurie` plus `~` bootstrap should currently be treated as **unproven and likely absent** in `/es/CRUSADER.EXE`
|
|
- the same caution now applies to the English `F10` replenish / immortality folklore too: the broad gameplay-input controller family is still present, but the old English immortality-string slots are repurposed in Spanish and no direct Spanish F10 cheat branch has been recovered in this pass
|
|
- the remaining possibilities are now: the Spanish build removed the hidden sequence entirely, moved it into an analysis-dark path MCP has not surfaced yet, or preserves only a dead/unused remnant such as the unresolved `1478:8ad6` gate
|
|
|
|
## Comparison Outcome
|
|
|
|
The Spanish build differs from the documented English build mainly by address relocation, not by cheat/debug behavior.
|
|
|
|
Confirmed same-family behaviors:
|
|
|
|
- broad `-laurie` / hidden-debug gate still present
|
|
- gameplay-input suppression gate still present
|
|
- separate `1478:5fb3` gate byte still present and widely read in the keyboard handler family
|
|
- `Ctrl+Q` still maps to CD transfer display, not immortality
|
|
- Hack Mover lane still present
|
|
- Laurie hint path still present
|
|
- English cheat/debug strings still embedded in the Spanish executable
|
|
|
|
Current practical read for cheat use:
|
|
|
|
- `-laurie` still appears to enable the broad debug/event family in the Spanish executable
|
|
- current live Spanish evidence does **not** show the English-side `~` runtime latch toggle
|
|
- so the usual English `-laurie` plus `~` route to the broader keyboard-cheat state is not currently supported by the Spanish static analysis
|
|
- current live Spanish evidence also does **not** yet prove that the English `F10` restore/refill or modifier-gated immortality path still survives in compiled form
|
|
|
|
## Definitive Enable Model
|
|
|
|
Current strongest Spanish-side answer to "how are the cheats enabled" is now much simpler than the older folklore:
|
|
|
|
- the **only recovered positive enabler** is still `-laurie`
|
|
- `CommandLineArg_HandleLaurie` at `1050:093d` writes `1478:0910 = 1`
|
|
- every broad hidden/debug branch recovered in `World_HandleKeyboardInput` that still behaves like the English Laurie/debug family checks that same `1478:0910` gate
|
|
|
|
The supposed runtime latch at `1478:5fb3` no longer looks like an enabler in the Spanish build:
|
|
|
|
- all recovered keyboard-handler branches that consult `1478:5fb3` require it to be **zero**, not one
|
|
- the only recovered writes are still `13e8:0071` (`set 1`) and `13e8:0077` (`set 0`)
|
|
- `Game_ShowLaurieHintComputerGump` calls those two helpers back-to-back, so the Laurie-hint path pulses the byte and leaves it cleared
|
|
|
|
Current safest read is therefore:
|
|
|
|
- `1478:0910` is the only proven positive Spanish cheat/debug enable gate
|
|
- `1478:5fb3` is not a recovered "cheats on" latch in this build; it behaves more like a transient suppression/guard byte, and possibly a vestigial leftover from the English-side keyboard-latch design
|
|
- `1478:8ad6` is the only still-plausible unresolved secondary latch, because Hack Mover checks it directly before checking `1478:0910`
|
|
|
|
That gives a more definitive practical answer than the earlier passes: the compiled Spanish build still contains cheat/debug hotkeys, but the only proven way to enable the broad gated family is `-laurie`. No second runtime input path that raises the gate or a full keyboard-cheat latch has been recovered.
|
|
|
|
## Keyboard Hotkey Split
|
|
|
|
The main Spanish keyboard handler still contains a sizeable hotkey table, but it now splits into two different groups.
|
|
|
|
### Proven `-laurie`-Gated Debug Lanes
|
|
|
|
These branches all require `1478:0910 != 0`, so they are the clearest surviving Spanish cheat/debug hotkeys:
|
|
|
|
- `0x410`: still toggles CD transfer display (`1478:5fb7`) and posts `CD TRANSFER DISPLAY ACTIVE/INACTIVE`
|
|
- `0x141`, `0x241`, `0x441`: still toggle the same hidden overlay/debug bytes as the English build
|
|
- `H` / `h`: still toggles Hack Mover, but only if `1478:8ad6 != 0` as well as `1478:0910 != 0`
|
|
- `F`: still toggles byte `1478:2d14` after `NPC_SetAvatarInStasis(0)`
|
|
- `T`: still has a direct `1478:0910` gate and acts on the current controlled NPC through `10a8:2667`
|
|
|
|
### Player-Only Selection / Debug Utilities
|
|
|
|
These branches do **not** prove a separate cheat-enable path. They mostly require the local `local_3` player/controlled-NPC condition and also require `1478:5fb3 == 0`, which is exactly the state left behind by the Laurie-hint helper pulse:
|
|
|
|
- `R` / `r`: toggles the targeting reticle byte `1478:28a5` and posts the Spanish active/inactive strings
|
|
- `Q` / `q`: cycles one `1..5` selector family backward through `13e8:0c07`
|
|
- `W` / `w`: cycles that same `1..5` selector family forward through `13e8:0c72`
|
|
- `I` / `i`: cycles one `0x0b..0x19` selector family backward through `13e8:0d5f`
|
|
- `O` / `o`: cycles that same `0x0b..0x19` selector family forward through `13e8:0dc0`
|
|
- `C` / `c` and `S` / `s`: enter the `13e8:3094` browsing/selection helper with mode `1` or `0`, which also sets `1478:5faf` while active
|
|
- `E` / `e`, `M`, and `U` / `u`: object/selection-manipulation helpers that also require the local player-controlled condition and `1478:5fb3 == 0`
|
|
|
|
So the keyboard evidence no longer supports a Spanish equivalent of the English layered model `master gate + tilde keyboard latch`. It supports a narrower model instead:
|
|
|
|
- `-laurie` enables the broad Spanish debug/event hotkeys through `1478:0910`
|
|
- several additional letter-key utilities still exist in the same handler, but they do not currently prove any second cheat-enable latch
|
|
- Hack Mover is the one conspicuous remaining exception because it still demands the unrecovered `1478:8ad6` latch as well
|
|
|
|
Unclosed item:
|
|
|
|
- direct proof of any live Spanish secret scan-code matcher routine at all, direct proof of a surviving Spanish `F10` cheat lane if one still exists, plus the exact writer of the secondary latch at `1478:8ad6`
|
|
|
|
## Recommended Follow-Up
|
|
|
|
If the Spanish question is revisited, the next focused step should be a direct recovery of the writer for `1478:8ad6` and any non-`-laurie` writer of `1478:0910`, rather than another sweep of the already-stable broad cheat/debug event lanes. At the moment, those two missing writers are the strongest remaining path to proving whether the Spanish executable still has any hidden cheat-trigger sequence at all. |